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Abstract 

We present a mathematical state-machine model, the Dynamic I/O Automaton (DIOA) 
model, for defining and analyzing dynamic systems of interacting components. The systems we 
consider are dynamic in two senses: (1) components can be created and destroyed as computation 
proceeds, and (2) the events in which the components may participate may change. The new 
model admits a notion of external system behavior, based on sets of traces. It also features 
a parallel composition operator for dynamic systems, which respects external behavior, and a 
notion of simulation from one dynamic system to another, which can be used to prove that one 
system implements the other. 

We establish fundamental compositionality results for DIOA: if one component is replaced 
by another whose traces are a subset of the former, then the set of traces of the system as a 
whole can only be reduced, and not increased, i.e., no new behaviors are added. This permits the 
refinement of components and subsystems in isolation from the entire system. It also provides the 
foundation for a design methodology based solely on the notion of externally visible behavior. 
This is in contrast to, for example, the 7r-calculus, where a component can be replaced by 
another only by establishing a bisimulation between components, i.e., a relationship between 
components based on their internal state-transitions, rather than the externally visible actions 
at their interface. As is well-known, simulation and bisimulation relations are incomplete with 
respect to trace inclusion. Hence, our approach is more abstract and complete: it permits the 
refinement of one component by another in cases which the 7r-calculus could not accommodate. 

The DIOA model was defined to support the analysis of mobile agent systems, in a joint 
project with researchers at Nippon Telegraph and Telephone. It can also be used for other 
forms of dynamic systems, such as systems described by means of object-oriented programs, 
and systems containing services with changing access permissions. 
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1 Introduction 

Many modern distributed systems are dynamic: they involve changing sets of components, which are 
created and destroyed as computation proceeds, and changing capabilities for existing components. 
For example, programs written in object-oriented languages such as Java involve objects that create 
new objects as needed, and create new references to existing objects. Mobile agent systems involve 
agents that create and destroy other agents, travel to different network locations, and transfer 
communication capabilities. 

To describe and analyze such distributed systems rigorously, one needs an appropriate math- 
ematical foundation: a state-machine-based framework that allows modeling of individual compo- 
nents and their interactions and changes. The framework should admit standard modeling methods 
such as parallel composition and levels of abstraction, and standard proof methods such as invari- 
ants and simulation relations. At the same time, the framework should be simple enough to use as 
a basis for distributed algorithm analysis. 

Static mathematical models like I/O automata [LT89] could be used for this purpose, with 
the addition of some extra structure (special Boolean flags) for modeling dynamic aspects. For 
example, in [LMWF94], dynamically-created transactions were modeled as if they existed all along, 
but were "awakened" upon execution of special create actions. However, dynamic behavior has by 
now become so prevalent that it deserves to be modeled directly. The main challenge is to identify 
a small, simple set of constructs that can be used as a basis for describing most interesting dynamic 
systems. 

In this paper, we present our proposal for such a model: the Dynamic I/O Automaton (BIO A) 
model. Our basic idea is to extend I/O automata with the ability to change their signatures 
dynamically, and to create other I/O automata. We then combine such extended automata into 
global configurations. The DIOA model admits a notion of external system behavior, based on 
sets of traces. It also features a parallel composition operator for dynamic systems, which respects 
external behavior (traces) and satisfies standard execution projection/pasting and trace pasting 
results, and a notion of simulation relation from one dynamic system X to another dynamic system 
Y, which can be used to prove that X implements Y. 

To express dynamic aspects, DIOA augments the I/O automaton model with: 

• Creation of automata: an automaton can "create" a new automaton. The execution of an 
action a of an automaton can, as a side effect, cause the creation of a set of automata, if 
these are not already present. We call automata that can create other automata signature 
I/O automata, abbreviated as SIOA. 

• Two-level semantics: Due to the introduction of dynamic automaton creation, the semantics 
of an automaton is no longer accurately given by its transition relation. The effect of creation 
must also be considered. Thus, the semantics is given by a second class of automata, called 
configuration automata. Each state of a configuration automaton is mapped to the collection 
of signature I/O automata that are currently "awake," together with the current local state 
of each one. 

• Variable signatures: The signature of an SIOA is a function of its state, and so can change 
as the SIOA makes state transitions. In particular, an SIOA "dies" by changing its signature 
to the empty set, after which it is incapable of performing any action. 



We defined the DIOA model initially to support the analysis of mobile agent systems, in a joint 
project with researchers at Nippon Telephone and Telegraph. Creation and destruction of agents 
are modeled directly within the DIOA model. Other important agent concepts such as changing 
locations and capabilities are described in terms of changing signatures, using additional structure. 
Our preliminary work on modeling and analyzing agent systems appeared in the NASA workshop 
on formal methods for agent systems [AAK + 00]. We are currently considering the use of DIOA 
to model and analyze object-oriented programs; here, creation of new objects is modeled directly, 
while addition of references is modeled as a signature change. 

One issue that arises in systems where components can be created dynamically is that of 
clones: suppose a particular component is created twice, in succession. In general, this can result 
in the creation of two (or more) indistinguishable copies of the component, known as clones. We 
make the fundamental assumption in our model that this siutation does not arise: components can 
always be distinguished, for example, by a logical timestamp at the time of creation. This absence 
of clones assumption does not preclude reasoning about situations in which an SIOA A\ cannot 
be distinguished from another SIOA A^ by the other SIOA in the system. This could occur, for 
example, due to a malicious host which "replicates" agents that visit it. We distinguish between 
such replicas at the meta-theoretic level by assigning unique identifiers to each. These identifiers 
are not available to the other SIOA in the system, which remain unable to tell A\ and Ai apart, for 
example in the sense of the "knowledge" [HM90] about A\ and Ai which the other SIOA possess. 

Related work: Most approaches to the modeling of dynamic systems are based on a process 
algebra, in particular, the 7r-calculus [Mil99] or one of its variants. Such approaches [CGOO, FGL + 96, 
RH98] model dynamic aspects by introducing channels and/or locations (names) as basic notions. 
Our model makes a different choice of primitive notion, it chooses actions and automata as primitive, 
and does not include channels and their transmission as primitive. Our approach is also different 
in that it is primarily a (set-theoretic) mathematical model, rather than a formal language and 
calculus. We expect that notions such as channel and location will be built upon the basic model 
using additional layers (as we do for modeling agent mobility in terms of signature change). Also, 
we ignore issues (e.g., syntax) that are important when designing a programming language (the 
"precondition-effect" notation in which we present an example is informal, and is not part of our 
model). Another difference with process-algebraic approaches is that we use trace inclusion for 
for refinement, rather than bisimulation. This allows us more latitude in refinement, in two ways. 
First, trace inclusion permits the implementation to have fewer externally visible behaviors (traces) 
than the specification, whereas bisimulation requires equality of the trace sets of implementation 
and specification. Second, a refinement relation based only on the externally visible behavior 
is necessarilymore abstract than one based on the internal state-transitions. It is well-known 
that simulation is incomplete with respect to trace inclusion: there are simple examples of trace- 
inclusion that cannot be established by means of a (forward) simulation relation. Our example 
will demonstrate the advantages of our approach. Finally, our model has a well-defined notion of 
projection onto a subsystem. This is a crucial pre-requisite for compositional reasoning, and is 
usually missing from process-algebraic approaches. 

The paper is organized as follows. Section 2 presents signature I/O automata. Section 3 
presents execution projection and pasting results, trace pasting results, and trace substitutivity 
results. These provide the basis for compositional reasoning in our model. Section 5 shows how 
configuration automata are built up from signature I/O automata. Section 6 extends our compo- 
sitional reasoning results to configuration automata. Section 4 proposes an appropriate notion of 
forward simulation for DIOA. Section 7 discusses how mobility and locations can be modeled in 



DIOA. Section 8 presents an example: an agent whose purpose is to traverse a set of databases in 
search of a satisfactory airline flight, and to purchase such a flight if it finds it. Section 9 discusses 
further research and concludes. 

2 Signature I/O Automata 

We assume the existence of a set Autids of unique SIOA identifiers, an underlying universal set Auts 
of SIOA, and a mapping aut : Autids i-> Auts. aut(A) is the SIOA with identifier A. We use "the 
automaton A" to mean "the SIOA with identifier A". We use the letters A, B, possibly subscripted 
or primed, for SIOA identifiers. 

In a particular state s, the executable actions are drawn from a signature sig(A)(s) = (in(A)(s), 
out(A)(s), int (A)(s)), called the state signature, which is a function of its current state. in(A)(s), 
out(A)(s), int(A)(s) are pairwise disjoint sets of input, output, and internal actions, respectively. 
We define ext(A)(s), the external signature of A in state s, to be ext(A)(s) = (in(A)(s), out(A)(s)). 

For any signature component, generally, the ^ operator yields the union of sets of actions 
within the signature, e.g., sig(A)(s) = in(A)(s) U out(A)(s) U int(A)(s). 

Definition 1 (SIOA) An SIOA aut(A) consists of the following components 

1. A set states (A) of states. 

2. A nonempty set start (A) C states (A) of start states. 

3. A signature mapping sig(A) where for each s G states(A), sig(A)(s) = (in(A)(s), out(A)(s), int(A)(s)) . 
4- A transition relation steps(A) C states (A) x acts (A) x states (A), where acts(A) = \J ses t a tes(A) s w{A){s) 

and satisfies the following constraints on those components: 

1. V(s,a,s') G steps(A) : a G sig(A)(s). 

2. Vs G states(A), Va G in(A)(s),3s' : {s,a,s') G steps(A) 

3. Vs G states ( A), in ( A) (s) n out(A)(s) = in{A)(s) n int(A)(s) = out(A)(s) n int(A)(s) 

Constraint 1 requires that any executed action be in the signature of the initial state of the 
transition. Constraint 2 extends the input enabling requirement of I/O automata to SIOA. Con- 
straint 3 requires that in any state, an action cannot be both an input and an output, etc. However, 
the same action can be an input in one state and an output in another. This is in contrast to ordi- 
nary I/O automata, where the signature of an automaton is fixed once and for all, and cannot vary 
with the state. Thus, an action is either always an input, always an output, or always an internal. 

If (s, a, s') G steps(A), we also write s — >a s'. For sake of brevity, we write states(A) instead 
of states (aut (A)), i.e., the components of an automaton are identified by applying the appropriate 
selector function to the automaton identifier, rather than the automaton itself. 

The components in(A)(s), out(A)(s), int(A)(s) are the input, output, and internal actions of 
sig(A)(s). We define ext(A)(s) = (in{A){s), out(A)(s)). 



Definition 2 (Execution, trace of SIOA) An execution fragment a of an SIOA A is a nonempty 
(finite or infinite) sequence soa\S\a2... of alternating states and actions such that (sj_i,gij,Sj) G 
steps(A) for each triple (sj_i,aj,Sj) occurring in a. Also, a ends in a state if it is finite. An 
execution of A is an execution fragment of A whose first state is in start (A). execs(A) denotes the 
set of executions of SIOA A. 

Given an execution fragment a = SQa\S\a2 ■ ■ ■ of A, the trace of a (denoted trace(a)) is the 
sequence that results from 

1. remove all ai such that ai g' ext(A)(si-\), i.e., ai is an internal action of Sj_i, and then 

2. replace each si by its external signature ext(A)(si), and then 

3. replace each maximal block ext (A)(si), . . . , ext(A)(si + k) such that (Vj : < j < k : ext(A)(si + j) 
ext(A)(si)) by ext(A)(si), i.e., replace each maximal block of identical external signatures by 
a single representative. (Note: also applies to an infinite suffix of identical signatures, i.e., 

k = ui.) 

Thus, a trace is a sequence of external actions and external signatures that starts with an external 
signature. Also, if the trace is finite, then it ends with an external signature. Traces are our notion 
of externally visible behavior. A trace (3 of an execution a exposes the external actions along a, 
and the external signatures of states along a, except that repeated identical external signatures 
along a do not show up in (3. Thus, the external signature of the first state of a, and then all 
subsequent changes to the external signature, are made visible in (3. traces(A), the set of traces of 
an SIOA A, is the set {(3 | Ba G execs(A) : (3 = trace(a)}. We write s — >a s' iff there exists an 
execution fragment a of A starting in s and ending in s'. If a state s lies along some execution, 
then we say that s is reachable. Otherwise, s is unreachable. 

The length \a\ of a finite execution a is the number of transitions along a. The length of 
an infinite execution is infinite (a;). If \a\ = 0, then a consists of a single state. If execution 
a = SQa\S\a2 ■ ■ ■ , then for < i < \a\, define a\i = soa\S\a2 ■ ■ ■ ajSj. We define a conatenation 
operator -^ for executions as follows. If a' = soa\S\a2 ■ ■ .a^Si is a finite execution fragment and 
a" = tob\tib2 ... is an execution fragment, then a' -^ a" is defined to be the execution fragment 
SQa\S\a2 ■ ■ ■ aitob\tib2 ■ ■ ■ only when Sj = to. If Sj / to, then a' -^ a" is undefined. 

2.1 Parallel Composition of Signature I/O Automata 

The operation of composing a finite number n of SIOA together gives the technical definition of 
the idea of n SIOA executing concurrently. As with ordinary I/O automata, we require that the 
signatures of the SIOA be compatible, in the usual sense that there are no common outputs, and 
no internal action of one automaton is an action of another. 

Definition 3 (Compatible signatures) Let S be a set of signatures. Then S is compatible iff, 
for all sig G S, sig' G S, where sig = (in,out,int), sig' = (in' , out' , int') and sig / sig' , we have: 

1. (in U out U int) n int' = 0, and 

2. out n out' = 0. 



Since the signatures of SIOA vary with the state, we require compatibility for all possible 
combinations of states of the automata being composed. Our definition is "conservative" in that 
it requires compatibility for all combinations of states, not just those that are reachable in the 
execution of the composed automaton. This results in significantly simpler and cleaner definitions, 
and does not detract from the applicability of the theory. 

Definition 4 (Compatible SIOA) Let A\, . . . , A n , be SIOA. A\, ... , A n are compatible if and 
only if for every (s\,... ,s n ) G states(A\) x ••• x states(A n ), {sig(Ai)(s\), . . . ,sig(A n )(s n )} is a 
compatible set of signatures. 

Definition 5 (Composition of Signatures) Let £ = (in, out, int) and £' = (in',out',int r ) be 
compatible signatures. Then we define their composition SxS' = (in U in' — (out U out'), out U 
out' , int U int'). 

Signature composition is clearly commutative and associative. We therefore use n for the ra-ary 
version of x. Let [n] = {i | 1 < i < n}. 

As with I/O automata, the SIOA synchronize on same-named actions. To devise a theory that 
accommodates the hierarchical construction of systems, we ensure that the composition of n SIOA 
is itself an SIOA. 

Definition 6 (Composition of SIOA) Let A\,... ,A n , be compatible SIOA. Then A = A- L \\ 
■ ■ ■ || A n is the state-machine consisting of the following components: 

1. A set of states states (A) = states (A\) x • • • x states (A n ) 

2. A set of start states start (A) = start (A\) x • • • x start (A n ) 

3. A signature mapping sig(A) as follows. For each s = (s\,... ,s n ) G states(A), sig(A)(s) = 
sig(Ai)(si) x • • • x sig(A n )(s n ) 

J f . A transition relation steps (A) C states (A) x acts (A) x states (A) which is the set of all 
((s\, . . . , s n ),a, (ii, . . . ,i n }) such that 

(a) a G sig(A 1 )(si) U . . . U sig(A n )(s n ), and 

(b) for all i € [n] : if a £ sig(Ai)(si), then (sj,a,ij) G steps(Ai), otherwise Si = ti 

If s = (si, . . . , s n ) G states(A), then define s \A,- t = Sj, for i G [n\. 

Since our goal is to deal with dynamic systems, we must define the composition of a variable 
number of SIOA at some point. We do this below in Section 5, where we deal with creation and 
destruction of SIOA. Roughly speaking, parallel composition is intended to model the composition 
of a finite number of large systems, for example a local-area network together with all of the 
attached hosts. Within each system however, an unbounded number of new components, for 
example processes, threads, or software agents, can be created. Thus, at any time, there is a finite 
but unbounded number of components in each system, and a finite, fixed, number of "top level" 
systems. 

Proposition 1 Let A\, . . . , A n , be compatible SIOA. Then A = A\ || ■ ■ ■ || A n is an SIOA. 



Proof: We must show that A satisfies the constraints of Definition 1. We deal with each constraint 
in turn. 

Constraint 1: Let (s,a,s') G steps(A). Then, a can be written as (s\,... ,s n ). Prom Defini- 
tion 6, clause 4, a G sig(Ai)(s\) U . . . U sig(A n )(s n ) From Definition 6, clause 3, sig(Ai)(si) U . . . U 
sig(A n )(s n ) = sig(A)(s). Hence a G sig{A)(s). 

Constraint 2: Let s G states(A), a G in(A)(s). Then, s can be written as (s\,... ,s n ). From 
Definition 6, clause 3, a G (Ui<j< ra * n (^)( s «)) ~~ out(A)(s). Hence, there exists tp C {1,... ,ra} 
such that V« G <p : a G m(.Aj)(sj), and V« G {1, . . . , n} — <p : a g' sig(Ai)(si). Since each A^ satisfies 
Constraint 2 of Definition 1, we have: 

V« G <p : Bti : (sj,a,ij) G sieps(j4j) 
By Definition 6, Clause 4, 

Bt : (a, a,i) G steps(A), where V« G y? : t\i = ij, and V« G {1, . . . , n} — y? : i|"i = Sj. 
Hence Constraint 2 is satisfied. 

Constraint 3: Each j4j satisfies Constraint 3 of Definition 1. From this and Definitions 6 and 5, it 
is each to see that A also satisfies Constraint 3. Q 



2.2 Action Hiding for Signature I/O Automata 

The operation of action hiding allows us to convert output actions into internal actions, and is 
useful in specifying the set of actions that are to be visible at the interface of a system. 

Definition 7 (Action hiding for SIOA) Let A be an SIOA and S a set of actions. Then A\H 
is the state-machine given by: 

1. A set of states states(A \ S) = states(A) 

2. A set of start states start(A \ E) = start (A) 

3. A signature mapping sig(A) as follows. For each s G states (A), 
sig(A \ E)(s) = {in(A \ E)(s), out(A \ E)(s), int{A \ E)(s)) ; where 

(a) out(A \ E)(.s) = out{A)(s) - E 

(b) in(A\E)(a) = in(A)(s) 

(c) int(A \ S)(s) = int{A)(s) U (out(A)(s) n S) 

4- A transition relation steps(A\ E) = steps(A) 

Proposition 2 Let A be an SIOA and E a set of actions. Then A \ E is an SIOA. 

Proof: We must show that A \ E satisfies the constraints of Definition 1. We deal with each 
constraint in turn. 

Constraint 1: From Definition 7, we have, for any s G states(A \ E): sig(A \ E)(s) = (out(A)(s) — 
E)Utn(A)(s)U(ini(A)(s)U(oui(A)(s)nE)) = ((ouf(A)(a)-E)U(otrf (A)(a)nE))U»n(A)(a)U»n* (A)(a) 
= ouf(A)(s) U m(A)(s) U mf(A)(s) = s^(A)(s). 
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Since A is an SIOA, we have V(s, a, s') G steps(A) : a G sig(A)(s). From Definition 7, 
sieps(j4\ S) = sieps(j4). Hence, V(s,a,s') € s£eps(j4\ £) : a G s«'<?( J 4\ S)(s). Thus, Constraint 1 
holds for A \ S. 

Constraint 2: Prom Definition 7, siaies(j4\S) = states(A), steps (A \T,) = steps(A), and for all 
s G states (>1 \ £), m(A \ £)(s) = in(A)(s). 

Since ^4 is an SIOA, we have Constraint 2 for A: 

Vs G stores (.4), Va G m(^4)(s),3s' : (s,a,s') G steps (.4). 
Hence, we also have 

Vs G stotes(,4\£),Va G m(A \ S)(s),3s' : (s,a,s') G steps(A\E). 
Hence Constraint 2 holds for A \ S. 

Constraint 3: A satisfies Constraint 3 of Definition 1. From this and Definitions 6 and 5, it is each 
to see that A \ S also satisfies Constraint 3. □ 

2.3 Action Renaming for Signature I/O Automata 

The operation of action renaming allows us to rename actions uniformly, that is, all occurrences 
of an action name are replaced by another action name, and the mapping is also one-to-one. This 
is useful in defining "parameterized" systems, in which there are many instances of a "generic" 
component, all of which have similar functionality. Examples of this include the servers in a client- 
server system, the components of a distributed database system, and hosts in a network. 

Definition 8 (Action renaming for SIOA) Let A be an SIOA and let p be an infective mapping 
from actions to actions whose domain includes acts(A). Then p(A) is the state machine given by: 

1. start (p(A)) = start(A) 

2. states (p(A)) = states (A) 

3. for each s G states(A), sig(p(A))(s) = (in(p(A))(s), out(p(A))(s), int{p(A))(s)), where 

(a) out(p(A))(s) = p(out(A)(s)) 

(b) in(p(A))(s) = p(in(A)(s)) 

(c) int(p(A))(s) = p(int(A)(s)) 

4- A transition relation steps(p(A)) = {(s,p(a),t) | (s,a,t) G steps(A)} 

Proposition 3 Let A be an SIOA and let p be an infective mapping from actions to actions whose 
domain includes acts (A). Then, p(A) is an SIOA. 

Proof: We must show that p(A) satisfies the constraints of Definition 1. We deal with each 
constraint in turn. 

Constraint 1: From Definition 8, we have, for any s G states (p( A)): sig(p(A))(s) = out(p(A))(s) U 
in(p(A))(s) U int(p(A))(s) = p{out{A)(s)) U p(in(A)(s)) U p(int(A)(s)) = p{sig{A)(s)). 



Since A is an SIOA, we have V(s, a, s') G steps(A) : a G sig(A)(s). From Definition 8, 
steps(p(A)) = {(s,p(a),t) \ (s,a,t) G steps(A)} 

Hence, if (s,p(a),t) is an arbitrary element of steps (p(A)), then (s,a,t) G steps(^4), and 
so a G si(?(j4)(s). Hence p(a) G p(sip(A)(s)). Since p(si^(A)(s)) = sig(p(A))(s), we conclude 
/?(a) G sig(p(A))(s). Hence, V(s,p(a),s') G steps (p(-A)) : /?(a) G sig(p(A))(s). Thus, Constraint 1 
holds for p(A). 

Constraint 2: From Definition 8, states (p (A)) = states (A), steps(p(A)) = {(s,p(a),t) | (s,a,t) G 
steps(A)}, and for all s G states(p(A)), in(p(A))(s) = p(in(A)(s)). 

Since A is an SIOA, we have Constraint 2 for A: 

Vs G states (A), y a G m(^4)(s),3s' : (s,a,s') G steps (A). 
Hence, we also have 

Vs G states (p{A)),\l a G in(p(A))(s),3s' : (s,a,s') G steps{p(A)). 
Hence Constraint 2 holds for p(A). 

Constraint 3: A satisfies Constraint 3 of Definition 1. From this and Definitions 6 and 5, it is each 
to see that p(A) also satisfies Constraint 3. D 



3 Compositional Reasoning for Signature I/O Automata 

To confirm that our model provides a reasonable notion of concurrent composition, which has 
expected properties, and to enable compositional reasoning, we establish execution "projection" 
and "pasting" results for compositions. We deal with both execution projection/pasting, and also 
with trace pasting. 

3.1 Execution Projection and Pasting for SIOA 

Given a parallel composition A = A\ || • • • || A n of n SIOA, we define the projection of an 
alternating sequence of states and actions of A onto one of the Ai, i G [n], in the usual way: the 
state components for all SIOA other than A^ are removed, and so are all actions in which A^ does 
not participate. 

Definition 9 (Execution projection for SIOA) Let A = A\ || ■ ■ ■ || A n be an SIOA. Let a be a 
sequence soa\Sia2S2 ■ ■ ■ Sj-iajSj . . . where Vj > 0, Sj = (sj,i, • • • , Sj^ n ) G states(A) and Vj > 0, aj G 
sig(A)(sj-\). Then, for i G [n], define a\Aj, to be the sequence resulting from: 

1. replacing each Sj by its i'th component Sjj, and then 

2. removing all ajSjj such that aj $ sig(Ai)(sj-i : i). 

Sj^ is the component of Sj which gives the state of A^. sig(Ai)(sj-i : i) is the signature of A^ 
when in state Sj-i,*. Thus, if a,j $ sig(Ai)(sj-i : i), then the action aj does not occur in the signature 
sig(Ai)(sj-i : i), and A^ does not participate in the execution of aj. In this case, aj and the following 
state are removed from the projection, since the idea behind execution projection is to retain only 
the state of Ai, and only the actions which Ai participates in. Note that we do not require a to 



actually be an execution of A, since this is unnecessary for the definition, and also facilitates the 
statement of execution pasting below. 

Our execution projection result states that the projection of an execution of a composed SIOA 
A = A\ || ■ ■ ■ || A n onto a component Ai, is an execution of A^. 

Theorem 4 (Execution projection for SIOA) Let A = A\ \\ ■ ■ ■ \\ A n be an SIOA. If a € 
execs (A) then a\Aj, € execs (Ai). 

Proof: Let a = uoa\Uia2U2 ■ ■ ■ € execs(A), and let so = uq\Ai. Then, by Definition 9, sq € 
start(Ai) and a\Ai = S0&1S1&2S2 • • • for some &1S1&2S2 ■ ■ ■ , where Sj € states(Ai) for j > 1. 

Consider an arbitrary step (sj-\,bj,Sj) of a\A{. Since bjSj was not removed in Clause 2 of 
Definition 9, we have 

(1) Sj = Uk \Ai for some k > and such that a& € sig(Ai)(uk-\ \Ai) 

(2) bj = ak, and 

(3) Sj-i = ui\Ai for the smallest £ such that 

£ < k and Vm : £ + 1 < m < k : a m $ sig(Ai)(u m -\ \Ai) 

Prom (3) and Definitions 6 and 9, u#\Ai = Uk-\\Ai. Hence Sj-\ = Uk-i\A{. From Uk-i—^-Uk, 

ak € sig(Ai)(uk-\ \Ai), and Definition 6, we have Uk-i \Ai — > Uk f-Aj. Hence Sj-\ — '->■ Sj from Sj-\ = 
Uk-\\Ai established above and (1), (2). Now Sj-i,Sj € states(Ai), and so (sj-\,bj,Sj) € steps(A). 

Since (•Sj-i, bj, Sj) was arbitrarily chosen, we conclude that every step of a\Aj, is a step of A^. 
Since the first state of a\Ai is so, and sq € start (A^), we have established that a\Aj, is an execution 
of Ai. U 

Execution pasting is, roughly, an "inverse" of projection. If a is an alternating sequence of 
states and actions of a composed SIOA A = A\ || ■ ■ ■ || A n such that (1) the projection of a onto 
each Ai is an actual execution of Ai, and (2) every action of a not involving Ai does not change 
the state of Ai, then a will be an actual execution of A. Condition (1) is the "inverse" of execution 
projection. Condition (2) is a consistency condition which requires that Ai cannot "spuriously" 
change its state when an action not in the current signature of Ai is executed. 

Theorem 5 (Execution pasting for SIOA) Let A = A\ || ••• || A n be an SIOA. Let a be a 
sequence so^isi^^ • • • s j-i a j s j ■ ■ ■ where Vj > 0, Sj = (sj,i, • • • , Sj, n ) £ states(A) and Vj > 0, aj € 
sig(A)(sj-i). Furthermore, suppose that 

1. for all 1 < i < n : a\Ai € execs(Ai), and 

2. for all j > : if aj £ sig(Ai)(sj-i :i ) then Sj-i :i = s j:i . 

Then, a G execs(A). 

Proof: We shall establish, by induction on j: 

for all j > 0, a\j € execs(A). (*) 

From which we can conclude so € start (A) and Vj > : (sj-i, aj, Sj) € steps (A). Definition 2 then 
implies the desired conclusion, a € execs(A). 



Base case: j = 0. 

So a\j = so- Now so = (so,i,... , so, n ) by assumption. By Definition 9, so,j is the first state of 
a\Ai, for 1 < % < n. By clause 1, a\Aj, € execs (Ai), and so so,j € start(Ai), for 1 < i < n. Thus, 
by Definition 6, so € start (A). 

Induction step: j > 0. 

Assume the induction hypothesis: 

a\j-\ € execs(A) (ind. hyp.) 

and establish a\j € execs (A). By Definition 2, it is clearly sufficient to establish Sj_i— ^■s J . By 
assumption, a,j € sip(A)(sj_i). 

Let tp C {1, . . . , n} be the unique set such that V« € v? : a, € si(?(j4j)(sj_i |\Aj) and V« € 
{1, . . . , n} — tp : a,j $ sig(Ai)(sj-i \A-i). Thus, by Definition 9: 

Mi € <p : (sj-i\Ai,cij,Sj\Ai) lies along a\Ai. 
Since Mi € {1, . . . , n} : a\Aj, € execs (Aj,) and j4j is an SIOA, 

V« e (p : Sj-i \Ai -^Ai Sj \Ai. 
Also, by clause 2, 

Mi e {1, . . . , n} - v? : Sj_i |"Aj = Sj \A t . 
By Definition 6 

(sj-i \A 1 ,... , Sj_i |"A„) -A- A (sj \A 1 ,... , Sj \A n ) 
Hence 

•Si — 1 ^A Sj. 



(LA 



Prom the induction hypothesis a\j-\ € execs(A) and Sj_i— ^-/iSj and Definition 6, we have 
GiL € ea;ecs(j4). □ 



3.2 Trace Pasting for SIOA 

We deal only with trace pasting, and not trace projection. Trace projection is not well-defined since 
a trace of A = A\ || • • • || A n does not contain information about the Ai,i € [n]. Since the external 
signatures of each A^ vary, there is no way of determining, from a trace /3, which A^ participate 
in each action along (3. Thus, the projection of j3 onto some Ai cannot be recovered from (3 itself, 
but only from an execution a whose trace is j3. Since there are in general, several such executions, 
the projection of j3 onto Ai can be different, depending on which execution we select. Hence, the 
projection of j3 onto Ai is not well-defined as a single trace. It could be defined as a set of traces: 
/3\Aj, = traces (execs (Ai) ((3)) . We do not pursue this avenue here. 

We find it sufficient to deal only with trace pasting, since we are able to establish our main 
result, trace substitutivity, which states that replacing an SIOA in a parallel composition by one 
whose traces are a subset of the former's, results in a parallel composition whose traces are a subset 
of the original parallel composition's. In other words, trace- containment is monotonic with respect 
to parallel composition. 

Let S = (in, out, int) and £' = (in 1 , out 1 , int') be signatures. We define S = inU out U int, and 
S C £' to mean in C in' and out C out' and int C int' . 
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Definition 10 (Pretrace) A pretrace 7 = 7(1)7(2) ... is a nonempty sequence such that 

1. For all i > 1, 7(4) is an external signature or an action 

2. 7(1) is an external signature 

3. No two successive elements of 7 are actions 

J f . For all i > 1, if 7(2) is an action a, then 7(2 — 1) is an external signature containing a 
(a g 7(i - 1); 

5. If 7 is finite, then it ends in an external signature 

The notion of a pretrace is similar to that of a trace, but it permits "stuttering" : the (possibly 
infinite) repetition of the same external signature. This simplifies the subsequent proofs, since it 
allows us to "stretch" and "compress" pretraces corresponding to different SIOA so that they "line 
up" nicely. Our definition of a pretrace does not depend on a particular SIOA, i.e, we have not 
defined "a pretrace of an SIOA A" but rather just a pretrace in general. We define "pretrace of 
an SIOA ,4" below. 

Definition 11 (Reduction of pretrace to a trace) Let 7 be a pretrace. Then r(^) is the result 
of replacing all maximal blocks of identical external signatures in 7 by a single representative. In 
particular, if 7 has an infinite suffix consisting of repetitions of an external signature, then that is 
replaced by a single representative. 

If 7 = r(7), then we say that 7 is a trace. This defines a notion of trace in general, as opposed to 
"trace of an SIOA A." We now define stuttering- equivalence («) for pre-traces. Essentially, if one 
pretrace can be obtained from another by adding and/or removing repeated external signatures, 
then they are stuttering equivalent. 

Definition 12 («) Let 7,7' be pretraces. Then 7 rs 7' iff r^) = r^'). 

It is obvious that rs is an equivalence relation. Note that every trace is also a pretrace, but not 
necessarily vice-versa, since repeated external signatures (stuttering) are disallowed in traces. The 
length |7| of a finite pretrace 7 is the number of occurrences of external signatures and actions in 7. 
The length of an infinite pretrace is uj. Let pretrace 7 = 7(1)7(2) .... Then for < i < \j\, define 
l\i = 7(1)7(2) •••7(0- We define concatenation for pretraces as simply sequence concatenation, 
and will usually use juxtaposition to denote trace concatenation, but will sometimes use the -^ 
operator for clarity. The concatenation of two pretraces is always a pretrace (note that this is 
not true of traces, since concatenating two traces can result in a repeated external signature). We 
use <,< for proper prefix, prefix, respectively, of a pretrace: 7 < 7' iff there exists a pretrace 
7" such that 7 = 7' 7", and 7 < 7' iff 7 = 7' or 7 < 7'. If 7' is a pretrace and 7 < 7', then 7 
satisfies clauses 2-4 of Definition 10, but may not satisfy clause 5. For a sequence 7 that does 

satisfy clauses 2-4 of Definition 10, define the predicate ispretrace^j) = (last('y) is an external 
signature). 

We now define a predicate zips (7, 71, . . . ,7 n ) which takes n + 1 pretraces and holds when 7 
is a possible result of "zipping" up 71 , . . . , 7 n , as would result when 71 , . . . , 7 n are pretraces of 
compatible SIOA A\, . . . ,A n respectively, and 7 is the corresponding trace of A = A\ || ■ ■ ■ || A n . 
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Definition 13 (zip of pretraces) Let 7, 71,... , 7 n all be pretraces (n > 1). The predicate 
zips (7, 71,... ,7„) holds iff 

1 - ItI = l7l| = ■■■ = \ln\ 

2. For all i > 1: if 7(2) is an action a, then there exists nonempty cpi C [n] smc/i i/iai 

(a,) Vft G <ft : 7/t(i) = a 

f&) V^ € [n] — <ft: 7^(i — 1) = 7^(i) = 7^(i + 1), 7^(i) «s an external signature I \, and a g' Ti 

3. For all i > 0: if 7(2) is an external signature T, then for all j G [n], 7j(i) «s an external 
signature Tj, and F = rijefnl ^V 

^. For a// i > 0, if 7(1 — 1) and 7(4) are 6oi/i external signatures, then there exists k G [n] snc/j 
f/iaf W G [n] - A; : -y t {i - 1) = 7^) 

Proposition 6 Lei 7, 71, . . . , 7 n a^ &e pretraces (n > 1). Suppose, zips (7, 71, . . . , 7 n )- T/jen, /or 
a//i smc/i i/iai 1 < i < (7! and ispretrace(^\i) (i.e., 7(4) is an external signature), zips{ r y\i, r y\\i, ... , 7 n |i) 
/jo/ds. 

Proof: Immediate from Definition 13. □ 

We use the zips predicate on pretraces together with the ps relation on pretraces to define a 
"zipping" predicate for traces: the trace j3 is a possible result of "zipping up" the traces Pi, . . . ,P n 
if there exist pretraces 7, 71, . . . , 7 n that are stuttering-equivalent to Pi, . . . ,P n respectively, and 
for which the zips predicate holds. The predicate so defined is named zip. Thus, zips is "zipping 
with stuttering," as applied to pretraces, and zip is "zipping without stuttering," as applied to 
traces. 

Definition 14 (zip of traces) Let (3, Pi, . . . ,P n all be traces (n > 1). The predicate zip (P, Pi, ... , /?„ 

holds iff there exist pretraces 7 , 71, . . . ,7 n such that^ rj P, f\j G [n] : 7, ps /3j ; and zips (7, 71, ... , 7 n ). 

Define pretraces(A) = {7 | 3/3 G iraces(j4) : /3 « 7}. That is, pretraces(A) is the set of 
pretraces which are stuttering-equivalent to some trace of A. An equivalent definition which is 
sometimes more convenient is pretraces(A) = {7 | 3a G execs(A) : trace(a) ps 7}. We also define 
pretraces* (A) = {7 | 7 G pretraces(A) and 7 is finite }. 

Given 7 G pretraces (A) , we define ea;ecs(j4)(7) = {a | a G execs(A) A irace(«) ~ 7}. In 
other words, execs (A) (7) is the set of executions (possibly empty) of A whose trace is stuttering- 
equivalent to 7. Also, execs* (A)^) = {a | a G ea;ecs*(j4) A trace(a) ps 7}, i.e., the set of finite 
executions (possibly empty) of A whose trace is stuttering-equivalent to 7. 

Theorem 7 states that if a set of finite pretraces 77 of Aj respectively, j G [n] , can be "zipped 
up" to generate a finite pretrace 7, then 7 is a pretrace of A\ || • • • || A n , and furthermore, any set of 
executions corresponding to the 7j can be pasted together to generate an execution of A\ || ■ ■ ■ || A n 
corresponding to 7. Theorem 7 is established by induction on the length of 7, and the explicit use 
of executions corresponding to the pretraces 7, 71,... ,7 n , is needed to make the induction go 
through. 
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Theorem 7 (Finite-pretrace pasting for SIOA) Let A\,... ,A n be compatible SIOA, and let 
A = A\ || ■ ■ ■ || A n . Let 7 be a finite pretrace. If, for all j G [n], 7$ € pretraces* (Aj) can be chosen 
so that zips (7, 71, . . . ,7 n ) holds, then 

Vo;i <E ea;ecs*(Ai)(7i),... ,Vo; n G execs* (A n )(-f n ), 

Ba G ea;ecs*( J 4) : trace(a) ps 7 A (Ajefnl ^t-Aj = «j) 

Proof: Since 7j G pretraces* (Aj) , we easily deduce, from the definitions, that ea;ecs*(^4j)(7j) 7^ 
for all j G [n]. For all j G [n], fix aj to be an arbitrary element of execs*(Aj)(^j). We will assume 
the antecedent of the theorem, that is, 77 G pretraces* (Aj) for all j G [n] and zips(7, 71, . . . ,7 n ). 
We will also assume the induction hypothesis for all prefixes of 7 that are pretraces. We will then 
establish 

Eta G execs* (A) : trace(a) as 7 A (f\je[n] a ^j = a i) (*) 

which suffices to establish the theorem. The proof is by induction on |7|, the length of 7. 

5ase case: |7| = 1. Hence 7 consists of a single external signature T. For the rest of the base 
case, let j range over [n]. By zips (7, 71, . . . ,7 n ) and Definition 13, we have that each 7^ consists of 
a single external signature Tj, and T = rijefral ^V Since 71, . . . , 7 n contain no actions, a\, ... , a n 
must contain only internal actions (if any). Furthermore, all the states along aj, j G [n], must have 
the same external signature, namely Fj. 

By Definition 6, we can construct an execution a of A by first executing all the internal actions 
in a.\ (in the sequence in which they occur in a\), and then executing all the internal actions in 
q;2, etc. until we have executed all the actions of a n , in sequence. It immediately follows, by 
Definition 9, that Vj G [n] : a\Aj = aj. The external signature of every state along a is rijefral ^i-> 
i.e., T, since the external signature component contributed by each Aj is always Tj. Hence, by 
Definition 2, trace(a) ps T. Thus, trace(a) pa 7. We have thus established trace(a) pa 7 and 
(Ajefnl a \Aj = aj). Hence (*) is established. 

Induction step: \^\ > 1. There are two cases to consider, according to Definition 13. 

Case 1:7 = 7'ar, 7' is a pretrace, a is an action, and T is an external signature. 
Hence, by Definition 13, we have 

3p,M^[n]: 

Vk G (p : jk = l'k a ^k A a G last(~f' k ), 
W£[n]-^Tl= 7/1/1/ AT, = last(^) Aa(^T e , 
zips (7', 7;,... ,j' n ), 

r = (n* ev r*)x(n te[fl] _ v r,). (a) 

For the rest of this case, let j range over [n], k range over <p, and £ range over [n] — (p. In (a), we 
have that 7' G pretraces* (Aj) for all j, since 7' < 7j and 7^ G pretraces* (Aj) for all j, Since we 
also have 7' < 7 and zips (7', 7^, ... ,7^)5 we can apply the inductive hypothesis for 7' to obtain 

Va[ G ezecs*(Ai)(7(),... ,Vc4 G execs* (A n ) (j' n ) : 

Eta' G e^ecs*(,4) : trace(a') pa 7' A Vj G [n] : a'\Aj = a'j (b) 

By assumption, a^ G execs* ; (-Afc ) (7fc ) • Hence, we can find a finite execution a' fc , and finite execution 
fragment a' k ' such that £*& = a' k -^ (s& — ^ ifc) ^ c>4'j where s& = last(a' k ), ext(Ak)(tk) = r&, and 
tk = first(a k ). Furthermore, a' k G execs* (Ak)(^' k ), since £*& G execs* (A k ) (j k ) , Ik = l'k a ^k, and 
ext(Ak)(tk) = Tk- Also, a' k consists entirely of internal actions, and trace(a' k ) pa r&, i.e., every 
state along a' k has external signature IV 
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By assumption, a> £ € execs(A £ ) (7^). For all £, let a'g = a> £ , and let s £ = t £ = last(a' i ). Hence 
a' t € execs (Ai)^), since 7^ ps 7^. Instantiating (b) for these choices of a' k , d £ , we obtain, for some 



a': 



(Aj a'^j = «j) Aa'e ea;ecs*(^)(V) A 

{/\ k {s k ,a,t k ) € steps(A k j) A (/\ fc ext(A k )(t k ) = T k ). (c) 

By a' t € execs* (Ai)^) and s^ = last(a' i ), we have eatf(-A^)(s^) = last(^'). Hence, by (a), we have 
eart(A^)(s^) = r^. Also, by (a), a # f £ . Thus, 

f\ f a $ e7t{A £ ){s £ ) A ext{A £ ){s £ ) = T £ . (d) 

Also, since A\, . . . ,A n are compatible SIOA, we have [\ £ a £ int(A £ )(s(). Hence /\ f a^ sig(A £ )(s £ ). 
Now let s = (si, . . . ,s n ), and let £ = (t\, . . . ,t n ). By (b) and Definition 9, we have s = last(a'). 
By (b), /\ £ a $ int(A £ )(s £ ), and Definition 6, we have (s,a,t) € steps(A). Now let a" be a finite 
execution fragment of A constructed as follows. Let t be the first state of a". Starting from t, 
execute in sequence first all the (internal) transitions along a kl , where k\ is some element of tp, 
and then all the (internal) transitions along a k2 , where k\ is another element of tp, etc. until all 
elements of tp have been exhausted. Since all the transitions are internal, Definition 6 gives us that 
a" is indeed an execution fragment of A. Furthermore, since no external signatures change along 
any of the a' k , it follows that the external signature does not change along a", and hence must 
equal ext(A)(t) at all states along a". Hence trace(a") ps ext(A)(t). Finally, by its construction, 
we have a" \A k = a' k ' for all k. 

Let a = a' -^ (s — >a t) -—* a". By the above, a is well defined, and is an execution of A. 

We now have 
ext{A)(t) 

= (Il k ext { A k){h)) x (He ext ( A (-)(t(.)) definition of t 
= (Uk^k)x(Uiext(A £ )(t £ )) ' (c) 

= (n fc r fc )x(ri/r/) (d) 

= r (a) 

Also, 

trace(a) 

ps trace(a') -^ a -^ trace(a") definition of a 

ps trace(a') -^ a -^ ea;f (^4)(i) trace(a") ps ea;i(j4)(i) 

ps trace(a') -^ a -^ T ea:i( J 4)(t) = T established above 
ps 7'ar a' € ea;ecs*(j4)(7'), hence frace^') ps 7' 

ps 7 case condition 

For all k & tp, 

a\A k 

= (a' \A k ) -^ (s k — >A k t k ) -^ («" t-Afc) Definition 9 and definition of a 

= a 'k ^ ( s k ~^A k t k ) — (a" \A k ) by (c), a' \A k = a' k 

= a' k -^ (sk --^A k tk) -^ cJ'k by the preceeding remarks, a"\A k = a' k ' 

= ctk by definition of a' k , a' k : ak = a' k -^ {s k ~^A k tk) -^ a' k 



For all £€[n]- tp, 
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a\A t 

= a' \Ai Definition 9 and definition of a 

= a'g by (c) , a' \At = a' t 

= at by our choice of a' t , at = a' t 

We have just established a G execs* (A), a\j = aj for all j G [n], and trace(a) rs 7. Hence 
is established for case 1. 



Case 2: 7 = 7T, 7' is a pretrace, and T is an external signature. 
Hence, by Definition 13, we have 
Bk G [n] : 

7& = ^' k T k A last(^' k ) is an external signature, 

W 6 [n] - k : lt = l't T l A l™t{l't) = I/, 

zips(j',j[,... ,j' n ), 

r = r fc x(n /e[n] _ fc r / ). (a) 

For the rest of this case, let j range over [n], and £ range over [n] — k. In (a), we have that 
7' G pretraces* (Aj) for all j, since 7' < 7j and 7j G pretraces* (Aj) for all j. Since we also have 
7' < 7 and zips (7' ', 7 15 ■ ■ ■ , 7^), we can apply the inductive hypothesis for 7' to obtain 
Vg^ G execs* (Ai) (j^),. . . ,Vc4 G ea;ecs*(j4 n )(7^) : 

3a' G ezecs*(A) : £race(«') rj 7' A (Aje[ n ] a ' ^ A i = a 'j) ( b ) 

By assumption, at G execs (At) ('jt)- For all ^, let a^ = at, and let st = tt = last(a' i ). Hence 
a' t G ea;ecs(^)(7^), since 7^ ps 7^. Define a^ as follows. If T k = last(^' k ), then let a^ = a k . If 
r^ / /as<(7^.), then we can find a finite execution a' k , and finite execution fragment a' k such that 
a k = a' k — (s k -^A k tk) ^ a'i where s k = last(a' k ), ext(A k )(t k ) = T k , and t k = first(a' k r ). The 
transition s k — >A k t k must exist, since the external signature of A k changed along 7^. Also, a' k 
consists entirely of internal actions, and trace(a' k ) ps F k , i.e., every state along a' k has external 
signature F k . 

In both cases, a' k G execs (A k )(^' k ). Instantiating (b) for these choices of a'-, we obtain, for 
some a': 

(f\j : a'\Aj = a'j) A a' € execs* (A)(j') A 

(s k ,a,t k ) G steps {A k ) A ext(A k )(t k ) = T k (c) 

We now have two subcases. 

Subcase 2.1: r& = last(^' k ). 

So, a^ = £*&. Since a^ = a^ for all £ G [n] — A;, we get a'- = aj for all j G [n]. Now define « = a'. 
Hence, by (c), we obtain (/\j : a\Aj = aj). Also by (c), trace(a') ~ 7', since a' G execs* ( A) (7'). 
Hence trace(a) rj 7'. 

By the case assumption, last (7') is an external signature. So, we have 
/asi(V) 
= last(^' k ) x (n^ as ^(7^)) z W s (l' ill-, ■ ■ ■ i7n) an d Definition 13 
= ^(Vfcjxdl/r/) " (a) 

= r^ x (FJ^ T^) subcase assumption 

= r ' fa) 
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By the case assumption, 7 = 7T. Hence 7 ps 7' 
a € execs(A), a\Aj = a>j for all j € [n], and trace(a) 



So, £race(«) rj 7. We have just established 
t 7. Hence (*) is established for subcase 2.1. 



Subcase 2.2: r& / /as<(7^.). 

Hence c^ = a' fc -— (s& ~^A k t k ) ^ "&, where S& = /asf (a' fc ) and eatf (A fc ) (i fc ) = r fc . 

Now let s = (si, . . . , s n ), and let £ = (£1, ... , £ n ). By (b) and Definition 9, we have s = last(a'). 
By Definition 6, we have (s, r, i) € steps(A). Let a = a' -^ (s — ^ i) -^ a", where a" is the finite- 
execution fragment of A with first state i, and whose transitions are exactly those of a' k , with no 
other SIOA making any transitions. Since all the transitions of a' k are internal, Definition 6 gives 
us that a" is indeed an execution fragment of A. Furthermore, since the external signature does not 
change along a' k , it follows that the external signature does not change along a", and hence must 
equal ext(A)(t) at all states along a". Hence trace(a") ps ext(A)(t). Finally, by its construction, 
we have a" \A k = a' k . 

By the above, a is well defined, and is an execution of A. 



We now have 
ext{A)(t) 

= ext{A k ){t k )x(Y\ £ ext{A £ ){t e )) 

= T k x(Yl(ext(A { )(t £ )) 



r 



(ILr. 



t L n 



definition of t 
definition of t k 



last(a' 



(a) 



And so, 

trace(a) 
« trace(a') 
pa trace(a') 
« trace(a') 

« yr 

~ 7 



trace(a ) 

ext(A)(t) 

r 



a' € 



ext(A)(t) 
execs* (A)(y 



definition of a 
trace(a") « ext(A)(t) 
= T established above 
, hence trace (a 1 ) ps 7' 

case condition 



For k, 



a\A k 
(a'\A k )^ 

k ' - ( S k 
Oik 



a 



O: 



(s k ^A k tk)-(a"\A k ) 
^A k t k )^(a"\A k ) 



ife *fe) 



[a 



»\ 



Definition 9 and definition of a 

by (c), a'\A k = a' k 

by the preceeding remarks, a"\A k = a' k 

by definition of a' k , a!' k : a k = a' k -—• (s k -^A k t k ) -— a' k 



For all i€[n]-k, 
a\A t 
= a 1 \Ai Definition 9 and definition of a 

by (c), a'\Ai = a' f 



at 



by our choice of aL at = a\ 



We have just established a £ execs(A), a\Aj = aj for all j € [n], and trace(a) ps 7. Hence 
is established for subcase 2.2. Hence Case 2 of the inductive step is established. 

Since both cases of the inductive step have been established, the theorem follows. 



D 



We use Theorem 7 and the definition of zip (Definition 14) to establish a similar result for 
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traces. 

Corollary 8 (Finite trace pasting for SIOA) Let A\,. . . ,A n be compatible SIOA, and let A = 
A\ || • • • || A n . Let j3 be a finite trace and j3i, . . . ,(3 n be such that (3j G traces* (Aj) for all j G [n]. 
If zip (/3, Pi, . . . ,j3 n ) holds, then (3 G traces* (A). 

Proof: By Definition 14, there exist pretraces 7, 71, . . . ,7 n such that 7 ~ /3, (Ajefnl 7i ~ Pj)i an d 
zips{^j, 71, . . . , 7„). By Theorem 7, 3a G ea;ecs*( J 4) : trace(a) ps 7. Hence trace(a) pa /3. Since /3 is 
a trace, we obtain trace(a) = (3. Since /3 is finite, /3 G traces* (A). □ 

Theorem 9 extends theorem 7 to infinite pretraces. That is, if a set of pretraces 77 of ^4j 
respectively, j G [n], can be "zipped up" to generate a pretrace 7, then 7 is a pretrace of A = 
Ai || • • • || A n . The proof uses the result of Theorem 7 to construct an infinite family of finite 
executions, each of which is a prefix of the next, and such that the trace of each finite execution is 
stuttering-equivalent to a prefix of 7. Taking the limit of these executions under the prefix-ordering 
then yields an infinite execution a of A whose trace is stuttering-equivalent to 7, as desired. 

Theorem 9 (Pretrace pasting for SIOA) Let Ai,...,A n be compatible SIOA, and let A = 

A\ || ■ ■ ■ || A n . Let 7 be a pretrace. If, for all j G [n], 7$ G pretraces (Aj) can be chosen so that 
zips(^j, 71, . . . , 7„) holds, then Ba G execs (A) : trace(a) pa 7. 

Proof: If 7 is finite, then the result follows from Theorem 7, and Definition 13, clause 1. Hence 
assume that 7 is infinite for the remainder of the proof. By Proposition 6, we have 

\/i,i > A ispretrace (7^) : zi/>s(7|j,7i|j, • • • ,7n|i) (a) 

For any i > 0, if ispretrace (7^) and ^ps(7|j,7i|j, • • • , 7n|j), then Ajefnl ispretrace (7j|j), by Defini- 
tion 13. Hence, by definition of a pretrace, we have 

Aj G [n], V«,« > A ispretrace (7^) : 7j|$ G pretraces(Aj) (b) 

By (a,b) and Theorem 7, we have 

Vi,i > A ispre£race(7|j) : 3«* G ea;ecs(j4) : £race(o! 1 ) pa -y |^ (c) 

Now let «',«" be such that i' < i", ispretrace (7(2')] ispretrace (7(1")) and there is no i' < i < i" such 
that ispretrace (7(2). By Definition 10, we have that either 7| 2 -» = (7| 2 /)ar or 7|j» = (7|,;/)r, for some 
action a and external signature T. We can show that there exist a % G execs(A), a % G execs(A) 
such that a* < a 1 , £race(o! 1 ) pa 7^/, irace(o; 1 ) pa 7^//. This is established by the same argument 
as used for the inductive step in the proof of Theorem 7. In essence, a % is obtained inductively as 
an extension of a 1 . We omit the (repetitive) details. 

Let prefixes^) = {i \ i > A ispretrace (t | -/ ) } • Hence, from this and (c), we have 
there exists a set {a 1 \ % G prefixes^)} such that 

V« G prefixes^) : a 1 G execs(A) A trace(a l ) k> 7| 2 - 

V«,«' G prefixes^), i < i' : a 1 < a 1 (d) 

Now let a be the unique minimum sequence that satisfies V« G prefixes^) : a 1 < a. a exists by 
(d). Since every triple (s,a,s') along a occurs in some a % , it must be a step of A. Hence a is an 
execution of A. Furthermore, every element of 7 occurs in some -y |^ , and hence will occur in the 
trace of a % , by (d). (note that a single element of trace(a) may account for multiple elements of 
7). Hence this element will also occur in the trace of a. Furthermore, the order of such elements 
in trace(a) is the same as their order in 7. Finally, trace(a) contains no elements other than 
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those generated by some a 1 , and hence which occur in -y|^ and so also in 7. Hence we conclude 

trace(a) pa 7. D 

We use Theorem 9 and the definition of zip (Definition 14) to establish Corollary 10, which 
extends corollary 8 to infinite traces. Corollary 10 gives our main trace pasting result, and is also 
used to establish trace substitutivity, Theorem 15, below. 

Corollary 10 (Trace pasting for SIOA) Let A\, . . . ,A n be compatible SIOA, and let A = A\ || 

••• || A n . Let fl be a trace and Pi,... ,/3 n be such that j3j € traces(Aj) for all j € [n]. If 
zip()3, Pi, . . . ,j3 n ) holds, then (3 € traces (A). 

Proof: By Definition 14, there exist pretraces 7, 71, . . . ,7 n such that 7 pa j3, Ajefni 7i ~ P31 an d 
zips(^, 71, . . . , 7„). By Theorem 9, Ba € execs (A) : trace(a) pa 7. Hence trace(a) pa /3. Since /3 is 
a trace, we obtain trace(a) = (3. Hence (3 € traces (A). □ 



3.3 Trace Substitutivity for SIOA 

To establish trace substitutivity, we first need some preliminary technical results. These establish 
that for an execution a of A = A\ || ■ ■ ■ || A n and its projections a\Ai, . . . , a\A n , that there exist 
corresponding (in the sense of being stuttering equivalent to the trace of) pretraces 7, 71, . . . , 7„ 
respectively which "zip up," i.e., zips(^,^i,. . . , 7„) holds. Our first proposition establishes this 
result for finite executions. 

Proposition 11 Let A\,... ,A n be compatible SIOA, and let A = A\ || ••• || A n . Let a be any 
finite execution of A. Then, there exist finite pretraces 7,71, ... ,7 n such that 7 pa trace(a), for all 
j <E [n], 7j pa trace(a\Aj), and zips (7, 71, ... ,7„). 

Proof: By induction on \a\. For the rest of the proof, fix a to be some element of execs* (A) (7). 

Base case: \a\ = 0. Then a consists of a single state s. By Definition 6, we have ext(A)(s) = 
rijefnl e.xt(Aj)(s\Aj) Let 7 consist of the single element ext(A)(s) and for all j € [n], let 77 consist 
of the single element ext (Aj)(s\Aj). Hence 7 = EL/GMTr By Definition 13, zips (7, 71, . . . , 7„) 
holds. 

Induction step: \a\ > 0. There are two cases to consider, according to whether the last 
transition of a is an external or internal action of A. 

Case 1: a = a'at for some action a and state t, where a € ext (A) (last (a 1 )). 
We can apply the induction hypothesis to a' to obtain 

there exist pretraces 7', 7^, . . . ,7^ such that 

7' ?a trace(a'), f\je[n] If'j ~ ^ace^'fA,-), and zips(j' ,j[, ... ,j' n ) (a) 

Let s = last(a'), and for all j, let Sj = s|\Ay, and tj = t\Aj. Let <p = {j \ a £ eatf(.Aj)(sj)}. Let Ar- 
range over <p and ^ range over [n] — (p. Hence, f\ t a $ sig(Ai)(s{). Hence, by Definition 6, f\ t S£ = t£. 

By Definition 9, for all k, we have a\A^ = (a'\Ak)atk- Hence trace (a \Ak) = trace (a' \Ak) -^ 
a -^ ext(Ak)(tk)- For all k, we have 7^ pa trace (a' \Ak) by (a). Let 7& = 7^ -^ a -^ eatf(.Afc)(£fc). 
Hence 7^ pa frace (a \Ak). 
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By Definition 9, for all £, we have a\Ai = a'lA^. Hence trace(a\£) = trace(a'\£). Let 7^ = 
7^ -^ ext(Ai)(st) -^ ea;i(j4^)(s^). Prom 7^ ps trace(a'\Ai) and s = last(a'), we get last^) = 
ext{Ai)(last(a l \£)) = ext(Ai)(si). Hence 7^ ps 7^. For all ^, we have 7^ ps trace(a'\Ai) by (a). 
Hence 7^ ps 7^ ps trace(a'\Ai) = trace(a\Ai). Thus, 7^ ps trace(a\A(). 

Let 7 = 7' -^ a -^ ea;i(j4)(i). Now f race (a) = trace(a'at) = trace(a') -^ a -^ ea;i(j4)(i). From 
(a), 7' ps trace(a'). Hence 7 = 7' -^ a -^ eirf^Xi) ps trace(a') -^ a -^ ea;f(^4)(i) = trace(a). So, 
7 ps trace(a). 

From the previous three paragraphs, we have 

7 ps trace(a) A Aje[n] 7j ~ ^ace^tA,-). (b) 

We now establish 2^5(7,71,... ,7 n ). We show that all clauses of Definition 13 are satisfied for 
7, 71, . . . , 7„. By (a), zips (7', 7 15 ■ ■ ■ , 7^)- We will use this repeatedly below. 

By zips{pj\ 7{, . . . , 7^), we have |7'| = | '"Xi I = • • • = |7^|- By construction |7| = |7'| + 2, and for 
all j € [n], |7j| = 1 7'- 1 + 2. Hence |7| = |7i| = ■ ■ ■ = |7n|- So clause 1 is satisfied. 

By definition of £, we have faa $ ext(Ai)(si). By construction, the last three elements of 7^ 
(for all £) are all ext(Ai)(si). By this and zips (7', 7 15 ■ ■ ■ , 7^), we conclude that clause 2 is satisfied. 

By Definition 6, we have ext(A)(t) = rijefni e.xt(Aj)(tj). By construction, we have last(^) = 
ext(A)(t), fa last (7 k) = ext(A k )(tk), and fa last (n) = ext(A()(st). From fast = tt (estab- 
lished above), we get fa last (71) = ext(Ai)(ti). Hence last(^) = riiefnl lust (7 j). By this and 
zips(^' ,7^, . . . , 7^), we conclude that clause 3 is satisfied. 

By zips (7' , 7J, ■ ■ ■ ,7^) and the construction of 7, 71, . . . , 7„ (specifically, that a is an external 
action), we conclude that clause 4 is satisfied. 

Hence, we have established zips (7, 71, ■ ■ ■ , 7«)- Together with (b), this establishes the inductive 
step in this case. 

Case 2: a = a'at for some action a and state t, where a £ int(A)(last(a>')). 
We can apply the induction hypothesis to a' to obtain 

there exist pretraces 7', 7^, . . . ,7^ such that 

i ps trace(a'), /\ je[n] 7J ps trace(a'\Aj), and 2^5(7', 7J, ... ,j' n ) (a) 

Let s = last(a'), and for all j, let Sj = s|".Ay, and tj = t\Aj. Since a is an internal action of A, it is 
executed by exactly one of the A\, . . . , A n . Thus, there is some k € [n] such that a € m£(.Afc)(sfc), 
and for all ^ € [n] — k, a $ sig(Ai)(si). Let £ range over [n] — k for the rest of this case. Hence 
fa si = ti, by Definition 6. 

By Definition 9, we have a \A k = (a'\A k )atk- Hence trace(a\A k ) = trace(a'\A k )-~-ext{A k )(tk)- 
For all k, we have 7^ ps trace(a' \A k ) by (a). Let 7^ = 7^ -^ ea;£ (-Afc)(tjt)- Hence 7^ ps irace^t-Afc). 

By Definition 9, for all £, we have a\Ai = a'lA^. Hence trace(a>\£) = trace(a'\£). Let 7^ = 
7^ -^ eatf(.A^)(s^). From 7^ ps trace(a'\Ai) and s = last (a 1 ), we get last^) = ext(Ai)(last(a' \£)) 
= ext(Ai)(si). Hence 7^ ps 7^. For all £, we have 7^ ps trace(a'\Ai) by (a). Hence 7^ ps 7^ ps 
trace(a'\A() = trace(a\A(). Thus, 7^ ps trace(a\A{). 

Let 7 = 7' -^ ea;i(j4)(i). Now trace(a) = trace(a'at) = trace(a>') -^ ea;i(j4)(i). From (a), 
7' ps trace(ot). Hence 7 = 7'^-^ ea;f(^4)(i) ps trace(a') -^ ea;i(j4)(i) = f race (a). So, 7 ps trace (a). 

From the previous three paragraphs, we have 

7 ps trace(a) A Aje[ n ] 7j ~ trace(a\Aj). (b) 
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We now establish 2^5(7,71,... ,7 n ). We show that all clauses of Definition 13 are satisfied for 
7, 71, . . . , 7„. By (a), zips (7', 7 15 ■ ■ ■ , 7^)- We will use this repeatedly below. 

By zipstf,^, . . . , 7^), we have |7'| = |7(| = • • • = \^' n \. By construction |7| = (7'! + 1, and for 
all j € [n], |7j| = 1 7'- 1 + 1. Hence |7| = |7i| = • • • = \^ n \. So clause 1 is satisfied. 

By zipsfa',^, . . . ,7^) and the construction of 7,71, ... , 7 n (specifically, that a is an internal 
action), we conclude that clause 2 is satisfied. 

By Definition 6, we have ext(A)(t) = EL^nl ext(Aj)(tj). By construction, we have last(^) = 
ext(A)(t), /\ fc /asf(7fc) = ext(A/ i )(th), and ^ last (it) = ext(A()(s(). From /Vf 5 ^ = t^ (estab- 
lished above), we get f\^last{^() = ext(Ai)(ti). Hence last(^) = riiefnl lust (7 j). By this and 
zips (7', 7^, . . . ,7^), we conclude that clause 3 is satisfied. 

By construction, the last two elements of 7^ (for all £) are both ext(Ai)(st). By this and 
zips (7', 71, . . . ,7^), we conclude that clause 4 is satisfied. 

Hence, we have established zips (7, 71, ■ ■ ■ , 7«). Together with (b), this establishes the inductive 
step in this case. 

Having established both possible cases, we conclude that the inductive step holds. Q 

Proposition 12 extends the result of Proposition 11 to the (infinite set of) finite prefixes of 
an infinite execution. That is, for every finite prefix a\i of an infinite execution a of A = A\ || 
• • • || A n , and its projections (a\i) \Ai, . . . , {a\i) \A n , there exist corresponding (in the sense of be- 
ing stuttering equivalent to the trace of) pretraces 7* and 7|, . . . ,7^ respectively which "zip up," 
i.e., zips(j l : j\ : . . . ,7^) holds. Furthermore, the pretraces 7 l_1 ,7i~ , ... ,7n _1 corresponding to 
a\i-\, (a\i-\)\Ai, . . . ,(a\i-i)\A n , respectively are prefixes of the pretraces 7*, 7^,... ,7^, respec- 
tively. 

Proposition 12 Let A\,... ,A n be compatible SIOA, and let A = A\ || ••• || A n . Let a be any 
execution of A. Then, there exists a set of tuples of finite pretraces {(7*,7i, • • • ,7^) | < i < \a\} 
such that: 

1. V«,0 < i < \a\ : 7* ps trace{a\i) A (Aj G [ n ]7j ~ trace{{a\i)\Aj)) 

2. V«,0 < i < \a\ : zips(j l : j\ : . . . ,7^) 

3. Vi, < i < \a\ : f~ l < f A (A je[n] 7*" 1 < 7J) 

Proof: By induction on i. 

Base case: i = 0. Then, a|o consists of a single state s. The proof then parallels the base case 
of the proof of Proposition 11. We omit the repetitive details. 

Induction step: i > 0. Assume the inductive hypothesis for < i < m, and establish it for 
i = m. By the inductive hypothesis, we obtain 

there exists a set of tuples of finite pretraces {(7*, 7|, . . . , 7^) | < i < m} such that: 

1. Vi, < i < m : 7* ra trace{a[i) A (/\je[n) l) ~ *race((a|j) Uj)) 

2. V«,0 < i < m : zips{^f , 7I, . . . ,7^) 

3. Vi, < » < m : f" 1 < f A (A i6[n] if' < ^ 
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We now establish the inductive hypothesis for i = m, that is: 
there exists a tuple of pretraces (7™, 7™, . . . , 7™} such that 

1. 7 m « <race(a|0 A (A jG[n] if « <race((a| m ) Uj)), 

2. zips (i 171 , if,. . . ,7™), and v 7 

3- 7 m - 1 <7 m A(A jG[n] 7f- 1< 7r)- 
There are two cases. 

Case 1: a| m = (a| m _i)ai for some action a and state t, where a € eatf(-A)(Zas£(a| m _i)). 

Case 2: a| m = (a| m _i)ai for some action a and state t, where a € mf(A)(/asf (a| m _i)). 

To establish clauses 1 and 2 of (*), the proofs for these cases proceeds in exactly the same way 
as the proofs for cases 1 and 2 in the proof of Proposition 11, with a\ m -\ playing the role of a', 
and a\ m playing the role of a. 

To establish clause 3 of (*), we note that, in both cases 1 and 2 in the proof of Proposition 11, 
7, 71, . . . , 7„ are constructed as extensions of 7', 7^, . . . ,7^, respectively. Our proof here proceeds 
in exactly the same way, with 7 TO_1 , if~ , . . . , 7™ _1 playing the role of 7', 7^, . . . , i' n , respectively, 
and 7 TO , 7™, . . . , 7™ playing the role of 7, 71, . . . , 7„, respectively. We omit the details. Q 

Proposition 13 establishes the result of Proposition 11 for infinite executions. The proof uses 
the result of Proposition 12 and constructs the required pretraces 7, 71, . . . , 7„ by taking the limit 
under the prefix-ordering of the 7*, i\, . . . ,7^ given in Proposition 12, as i tends to uj. 

Proposition 13 Let A\,... , A n be compatible SIOA, and let A = A\ || ••• || A n . Let a be any 
execution of A. Then, there exist pretraces 7,71,... , 7„ such that 7 ps irace(o;), /or a// j € [n], 
jj pa trace(a\Aj), and zips(i, 71, . . . , 7„). 

Proof: If o; is finite, then the result follows from Proposition 11. Hence, assume that a is infinite 
in the rest of the proof. By Proposition 12, we have 

there exists a set of tuples of finite pretraces {(7*, i\, . . . , 7^} | < i} such that: 

1. Vi, < i : 7 J ps trace(a\i) A (Aje[n] 7j ~ trace{{a\i) \Aj)) 
2.Vi,0<i:zips(i i ,il...,f n ) (a) 

3. Vi,0< ? : 7 l - 1 <yA(A jG[n] 7r 1 <7i) 

By clause 3 of (a), we can define 7 to be the unique sequence such that V«, < i : 7* < 7, and, for 
all j € [n], 7j to be the unique sequence such that Vi,0 < i : 7* < ij. From clause 2 of (a) and 
Definition 13, we conclude zips (7, 71, . . . ,7 n )- 

From clause 1 of (a), 7 ps frace(o;) A (AjefnlT? ~ irace(o;|~ J 4j)). 

Hence, the proposition is established. D 

Proposition 14 "lifts" the result of Proposition 13 from executions to traces; it shows that if 
j3 is a trace of A = A\ || ■ ■ ■ || A n then there exist traces /3\, . . . ,/3 n of A\, . . . ,A n respectively 
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which zip up to P, that is zip (P, Pi, . . . ,P n ) holds. The proof is a straightforward application of 
Proposition 13. 

Proposition 14 Let A\,... ,A n be compatible SIOA, and let A = A\ || ••• || A n . Let P be an 
arbitrary element of traces (A). Then, there exist Pi,... ,P n such that (1) for all j G [n] : Pj G 
traces(Aj), and (2) zip (P, Pi, . . . ,P n )- 

Proof: Since P G traces (A), there exists a G execs {A) such that trace(a) = p. Applying 
Proposition 13 to a, we have that there exist pretraces 7,71,... , 7„ such that 7 ps trace (a), 

(A J e N : 7j ~ trace(a\Ajj), and 2^(7,71, . . . ,7„). 

For all j G [n], let /3j = frace (a \Aj). By Theorem 4, a\Aj G execs(Aj). Hence Pj G traces (Aj). 
Thus, (1) is established. 

From 7j ps frace (a \Aj) and /3j = frace (a \Aj), we have /3j pa 7^, for all j G [n]. From 
7 pa trace(a) and /3 = trace(a), we have 7 ~ /3. Hence, by Definition 14 and zips(P, 71, . . . , 7«), we 
conclude zip (P, Pi, . . . ,P n )- Hence (2) is established. D 

Theorem 15 gives one of our main results: trace substitutivity. This states that, in a compo- 
sition of n SIOA, if one of the SIOA is replaced by another whose traces are a subset of those of 
the SIOA that was replaced, then this cannot increase the set of traces of the entire composition. 

Theorem 15 (Trace Substitutivity for SIOA) Let Ai,... ,A n be compatible SIOA, and let 
A = Ai || ••• || A n . For some j G [n], let Aj,A'- be SIOA such that traces(Aj) C traces(A'-), 
and let A' = Ai \\ ■ ■ ■ \\ A'- \\ ■ ■ ■ \\ A n . Then traces(A) C traces (A'). 

Proof: Let P be an arbitrary element of traces(A). Then, by Proposition 14, there exist Pi, ■ ■ ■ ,P n 
such that zip (P, Pi, . . . ,P n ), and /\je\n]Pj e traces(Aj). By assumption, traces(Aj) C traces(A'A. 
Hence Pj G traces (A 1 ,). 

Thus, we have Pj G traces (A'j), (Afcefnl-j @k ^ traces(Ak)), and zip (P, Pi, . . . ,P n )- Hence, by 
Corollary 10, P G traces (A 1 ). Since P was chosen arbitrarily, we have traces (A) C traces (A 1 ). □ 



4 Simulation 

We define a notion of forward simulation [LV95] from one SIOA to another. Our notion requires 
the usual matching of every transition of the implementation by an execution fragment of the 
specification. It also requires that corresponding states have the same external signature. This 
gives us a reasonable notion of refinement, in that an implementation presents to its environment 
only those interfaces (i.e., external signatures) that are allowed by the specification. 

Definition 15 (Forward simulation) Let A and B be SIOA. A forward simulation from, A to 
B is a relation f over states(A) x states(B) that satisfies: 

1. Ifs€ start(A), then f[s] n start(B) ^ 0, 

2. If s — >a s' and t G f[s], then there exists t' G f[s'],ti,a>i,t2, 0.2 such that 
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/ 1 J. Q l, J. a , J. a 2, j./ 

( a) t >B t\ >B 12 >B t , 

(b) 011,012 contain only internal actions ofY, 

(c) ext(B)(u) = ext(A)(s) for all u along a\ (including t,t\), 

(d) ext(B)(v) = ext(A)(s') for all v along a^ (including t2,t'). 

We say A < B if a forward simulation from A to B exists. Our notion of correct implementation 
with respect to safety properties is given by trace inclusion, and is implied by forward simulation. 

Theorem 16 If A < B then traces(A) C traces (B). 

Proof: Let / be a forward simulation from A to B. Then, we can show that for every execution 
a = soa\Sia2S2 • • • of A, there exists an execution a' = uob\U\b2U2 ■ ■ ■ of B such that a and a' 
correspond in the following sense. There exists a total, nondecreasing mapping m : {0, 1, . . . , \a\} i-> 
{0, 1, . . . , \a'\} such that: 

1. m(0) =0, 

2 - (si,u m (i)) G / for all < i < \a\, 

3. irace(s TO (j_ 1 )6 m( j_ 1 ) +1 • ■ ■ b m ^s m ^) = trace(si-iaiSi) for all < i < \a\, and 

4. for all j, < j < \a'\, there exists an i, < i < \a\, such that m(i) > j. 

The mapping m is referred to as an index mapping from a to a' with respect to /. We can then 
use this correspondence to establish that trace(a) = trace(a'). Since a is an arbitrary execution of 
A, it follows that traces (A) C traces(B). 

The details of the above proof are essentially the same as the proofs of similar results in 
[GSSAL93], and are therefore omitted. The only difference is that we have to accomodate our 
different definition of a trace, which represents external signatures as well as external actions. Our 
notion of forward simulation is designed to exactly accomodate our notion of trace in this respect. 
D 



5 Configurations and Configuration Automata 

Suppose a is an action of SIOA A whose execution has the side-effect of creating another SIOA B. 
To model this, we must keep track of the set of "alive" SIOA, i.e., those that have been created but 
not destroyed (we consider the automata that are initially present to be "created at time zero"). 
Thus, we require a transition relation over sets of SIOA. We also need to keep track of the current 
global state, i.e., the tuple of local states of every SIOA that is alive. Thus, we replace the notion 
of global state with the notion of "configuration," i.e., the set A of alive SIOA, and a mapping S 
with domain A such that S(A) is the current local state of A, for each SIOA A € A. 

A configuration contains within it a set of SIOA, each of which embodies a transition relation. 
Thus, the possible transitions out of a configuration cannot be given arbitrarily, as when defining 
a transition relation over "unstructured" states. Rather, these transitions should be "intrinsically" 
determined by the SIOA in the configuration. Below we define the intrinsic transitions between 
configurations, and then define a "configuration automaton" as an SIOA whose transition relation 
respects these intrinsic transitions. Configuration automata are our principal semantic objects. 
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Definition 16 (Configuration, Compatible configuration) A configuration is a pair (.4,5) 
where 

• A is a finite set of signature I/O automaton identifiers, and 

• S maps each A G A to an s G states (A). 

A configuration (.4,5} is compatible iff, for all A G A, B G A, A / B: 

1. sig{A)(S{A)) n int{B)(S{B)) = 0, and 

2. out(A)(S(A))nout(B)(S(Bj) = $. 

The compatibility condition is the usual I/O automaton compatibility condition [LT89], applied 
to a configuration. If C = (A, S) is a configuration, then we use (A, s) G C as shorthand for 
AeAAS(A) = s. 

A configuration is a "flat" structure in that it consists of a set of SIOA (identifier, local-state) 
pairs, with no grouping information. Such grouping could arise, for example, by the composition 
of subsystems into larger subsystems. This grouping will be reflected in the states of configuration 
automata, rather than the configurations themselves, which are not states, but are the semantic 
denotations of states. We defined a configuration to be a set of SIOA identifiers together with 
a mapping from identifiers to SIOA states. Hence, every SIOA is uniquely distinguished by its 
identifier. This our formalism does not a priori admit the existence of clones, as discussed in the 
introduction. 

Definition 17 (Intrinsic signature of a configuration) Let C = (A,S) be a compatible con- 
figuration. Then we define 

• auts(C) = A 

• map(C) = S 

. out(C) = l) AeA out(A)(S(A)) 

• in{C) = i\J AeA in{A){S{A))) - out(C) 

• int(C) = \J AeA int(A)(S(A)) 

• ext{C) = (in(C), out(C)) 

• sig(C) = (in(C),out(C),int(C)) 

We call sig(C) the intrinsic signature of C, since it is determined solely by C. 

Let C = (A, S) be a configuration. Define reduce(C) = {A',S\A'), where A' = {A \ A G 
A and sig(A) (S (A)) / 0}. C is a reduced configuration iff C = reduce(C). 

A consequence of this definition is that an empty configuration cannot execute any transitions. 
Note also that we do not define transitions from a non- compatible configuration. Thus, the initial 
configuration of a transition is guaranteed to be compatible. However, the final configuration of a 
transition may not be compatible. This may arise, for example, when two SIOA are involved in 
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executing an action a, and their signatures in their final local states may contain output actions in 
common. Another possibility is when a new SIOA is created, and its signature in its initial state 
violates the compatibility condition (Definition 16) with respect to an already existing SIOA. 

We now define the intrinsic transitions => (y9 that can be taken from a given configuration 
{A, S). Our definition is parametrized by a set tp of SIOA identifiers which represents SIOA which 
are to be "created" by the execution of the transition. This set is not determined by the transition 
itself, but rather by the configuration automaton which has {A, S) as the semantic denotation of 
one of its states. Thus, it has to be supplied to the definition as a parameter. 

Definition 18 ( => (y9 ) Let (A,S), (A',S') be arbitrary reduced compatible configurations, and let 
(p C Autids. Then (.4,5} =^> (A',S') iff there exists a compatible configuration (A",S") such 

that 

1. A" = Au<p, 

2. for all AeA" -A: S"{A) G start (A), 

3. for all AeA: if a G sTg(A)(S(A)) then S(A) -^ A S"{A), otherwise S{A) = S"{A), 
I (A',S') = reduce{(A",S")) 

All the SIOA with identifiers in (p — A (= A" — A) are "created" in some start state (Clause 2). 
Also, we apply the reduce operator to the intermediate configuration (A", S") to obtain the final 
configuration (A', S') resulting from the transition. This removes all SIOA which have an empty 
signature, and is our mechanism for destroying SIOA. An SIOA with an empty signature cannot 
execute any transition, and so cannot change its state. Thus it will remain forever in its current 
state, and will be unable to interact with any other SIOA. Thus, an SIOA "self-destructs" by 
moving to a state with an empty signature. This is the only mechanism for SIOA destruction. In 
particular, we do not permit one SIOA to destroy another, although an SIOA can certainly send a 
"please destroy yourself" request to another SIOA. 

Definition 19 (Configuration Automaton) A configuration automaton X consists of the fol- 
lowing components 

1. A signature I/O automaton sioa(X). 

For brevity, we define states(X) = states (sioa(X)) , start(X) = start (sioa(X)), sig(X) = 
sig(sioa(X)), steps(X) = steps (sioa(X)), and likewise for all other (sub) components and 
attributes of sioa(X). 

2. A configuration mapping config(X) with domain states(X) and such that config(X)(x) is a 
reduced compatible configuration for all x G states(X) 

3. For each x G states(X), a mapping created(X)(x) with domain sig(X)(x) and such that 
created (X)(x) (a) C Autids for all a G sig(X)(x). 

and satisfies the following constraints 

1. If x G start(X) and (A,s) G config(X)(x), then s G start(A) 
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2. If (x,a,y) € steps(X) then config(X)(x) => (y9 config(X)(y), where <p = created (X)(x) (a). 

3. If x € states(X) and config(X)(x)^^> v D for some action a, tp = created (X)(x) (a), and 
reduced compatible configuration D, then By € states(X) : config(X)(y) = D and (x,a,y) € 
steps (X) 

4- For all x € states(X) 

(a) out(X)(x) C out(config(X)(x)) 

(b) in(X)(x) = in(config(X)(x)) 

(c) int(X)(x) 3 int(config(X)(x)) 

(d) out{X)(x) U int{X)(x) = out{config{X)(x)) U int{config{X)(x)) 

The above constraints are needed to properly reflect the intrinsic transitions =>- ¥ > that a com- 
patible configuration is capable of: all of the successor configurations generated by such transitions 
must be represented in the states and transitions of X. This is a significant difference with the 
basic I/O automaton model: there, states are either "atomic" entities, or tuples of tuples of . . . of 
atomic entities. Thus, states, in and of themselves, embody no information about their possible 
successor states. That information is given by the transition relation, and there are no constraints 
on the transition relation itself: any set of triples (state, action, state) which respects the input 
enabling requirement can be a transition relation. 

Since an SIOA that is created "within" a configuration automaton always remains within 
that automaton, we see that configuration automata serve as a natural encapsulation boundary 
for component creation. Even if an SIOA migrates and changes its location, it always remains a 
part of the same configuration automaton. Migration and location are not primitive notions in our 
model but are build on top of configuration automata and variable signatures, see Section 7 below. 

In the sequel, we write config(X)(x) ==>x,x config(X)(y) as an abbreviation for 
u config(X)(x) => (y9 config(X)(y) where <p = created (X)(x) (a). ," 

Definition 20 Let X be a configuration automaton. For each x € states(X), define auts(X)(x) = 
auts(config(X)(x)). That is, auts is a mapping from each state x of X to the set of SIOA in 
config(X)(x). 

Definition 21 (Execution, trace of configuration automaton) A configuration automaton X 
inherits the notions of execution fragment and execution from sioa(X). Thus, a is an execution 
fragment (execution) of X iff it is an execution fragment (execution) of sioa(X). execs (X) de- 
notes the set of executions of configuration automaton X . X also inherits the notion of trace from 
sioa(X). Thus, (3 is a trace of x iff it is a trace of sioa(X). traces(X) denotes the set of traces of 
configuration automaton X . 

We write C — >x C iff there exists an execution fragment a (with \a\ > 1) of X starting in C 
and ending in C. 

5.1 Parallel Composition of Configuration I/O Automata 

We now deal with the composition of configuration automata. 
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Definition 22 (Union of configurations) Let C\ = (A\,S\) and Ci = (.4.2, S2} be configura- 
tions such that Ai n A2 = 0- Then, the union of C\ and C2, denoted C\ U C2, is the configuration 
C = (A, S) where A = Ai U A2, and S agrees with S\ on Ai, and with S2 on A2- 

It is clear that configuration union is commutative and associative. Hence, we will freely use 
the ra-ary notation C\ U ■ ■ ■ U C n (for any n > 1) whenever /\^ - e < n i { ,- auts(Ci) D auts(Cj) = 0. 

Definition 23 (Compatible configuration automata) Let X\,... ,X n , be configuration au- 
tomata. Xi, . . . ,X n are compatible iff, for every (x\, . . . ,x n ) G states(X\) x • • • x states(X n ), 

1. forall i,j € [n], i / j, auts(config(Xi)(xi)) n auts(config(Xj)(xj)) = 0. 

2. config(X\)(x\) U • • • U config(X n )(x n ) is a reduced compatible configuration. 

3. {sig(X\)(x\), . . . , sig(X n )(x n )} is a set of compatible signatures 

Definition 24 (Composition of configuration automata) LetX\, . . . ,X n , be compatible con- 
figuration automata. Then X = X\ || • • • || X n is the state machine consisting of the following 
components: 

1. sioa(X) = sioa(Xi) || • • • || sioa(X n ) 

2. A configuration mapping config(X) given as follows. For each x = (x\, . . . ,x n ) G states(X), 
config(X)(x) = config{Xi){xi) U • • • U config(X n )(x n ). 

3. For each x G states(X), a mapping created(X)(x) with domain sig(X)(x) and given as fol- 
lows. For each a G sig(X)(x), created (X)(x) (a) = U aes ^(x i )( a;i ),je[n] created (Xi)(xi) (a). 

As in Definition 19, we define states(X) = states(sioa(X)), start(X) = start (sioa(X)), sig(X) = 
sig(sioa(X)), steps(X) = steps (sioa(X)), and likewise for all other (sub) components and attributes 
of sioa(X). 



Proposition 17 Let X\, . . . ,X n , be compatible configuration automata. Then X = X\ || ■ ■ ■ || X, 
is a configuration automaton. 
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Proof: We must show that X satisfies the constraints of Definition 19. Since X\,... ,X n are 
configuration automata, they already satisfy the constraints. The argument for each constraint 
then uses this together with Definition 24 to show that X itself satisfies the constraints. The 
details are as follows, for each constraint in turn. 

Constraint 1. Let x G start(X) and (A,s) G config(X)(x). Then, x = (x\,... ,x n ) where Xi G 
start(Xi) for 1 < i < n. By Definition 24, config(X)(x) = config(X\)(xi) U • • • U config(X n )(x n ). 
Hence (A,s) G config(Xj)(xj) for some j G [n]. Also, Xj G start (Xj). Since Xj is a configuration 
automaton, we apply Constraint 1 to Xj to conclude s G start (A). Hence, Constraint 1 holds for 
X. 

Constraint 2. Let (x,a,y) be an arbitrary element of steps(X). We will establish 
config(X)(x) =^x,x config{X){y). 
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For brevity, let Ai = sioa(Xi) for i G [n]. Now (x, a, y) G steps(X). So (a;, a, y) € steps (sioa(X)) 
by Definition 24. Also by Definition 24, sioa(X) = sioa(X\) || • • • || sioa(X n ) = A\ || ■ ■ ■ || j4 n . So, 
(rr, a,y) € s£eps(j4i || • • • || -A n ). Since x,y G s£a£es(j4i || • • • || -A„), we can write rr,y as (rri, . . . ,x n ), 
(yi,... ,y n ) respectively, where Xi,yi G s£a£es(j4j) for « € [raj. From Definition 6, there exists a 
nonempty tp C [n] such that 

(Aie v a € s^(A)(^) A {xi,a,yi) G steps(A t )) A (Aie[n]- V a £ «0(^i)(zi) Asj = i«) (a) 

Each Xj, « G [n], is a configuration automaton. Hence, by (a) and constraint 2 applied to each Xi, 

i G tp, 

Ke v ( con fi9 ( x * ) ( x i ) =^Xi , Xi config (X t ) (y t ) ) . (b) 

Also by (a), 

l\ ie[n] - v {config{Xi){xi) = config {Xi){ yi )). (c) 

Since X\,... ,X n are compatible, we have, by Definition 23, that auts (config (Xi)(xi)) n 
auts (config (Xj)(xj)) = forall «,j G [n], i / j, i.e., all SIOA in these configurations are unique, 
and that config (X\)(x\) U • • • U config (X n )(x n ) is a compatible configuration. Since X\, . . . ,X n 
are configuration automata, each of config (X\)(x\), . . . , config (X n )(x n ) is a reduced configuration, 
by Definition 19. Hence config (X\)(x\) U • • • U config (X n )(x n ) is also reduced, and is therefore a 
reduced compatible configuration. 

By Definition 24, created (X) (x) (a) = \J ae ^ Xi )(xi),ie[n] created (X,j)(x,j) (a). By this, (b,c), and 
Definition 18, we obtain 

(Ue[n] config (X i )(x i )) =^ x , x (Ue[n] config (X l )(y l )). (d) 

By Definition 24, config(X)(x) = \Jie[n] config(Xi)(xi) and config(X)(y) = \J ie[n] config (X t )(y, t ). 
Hence 

config (X)(x) =^x,x config (X)(y), 

and we are done. 

Constraint 3. Let x be an arbitrary state in states(X) and D an arbitrary reduced compati- 
ble configuration such that config (X) (x) =^-x,xD. We must show By G states (X) : (x,a,y) G 
steps(X) and config(X)(y) = D. 

We can write x as (x\, ... ,x n ) where Xi G states (Xi) for t£ [n]. 

Since Xi,... , X n are compatible, we have, by Definition 23, that auts(config(Xi)(xi)) n 
auts (config (Xj)(xj)) = forall «, j G [n], « / j, (thus, all SIOA in these configurations are unique) 
and that config (X\)(x\) U ••• U config(X n )(x n ) is a compatible configuration. Also, from Defini- 
tion 24, config(X)(x) = Ui £ [ n ] config (Xi)(xi). Hence from config(X)(x) =^ Xx D, 

(Uie[n] config (Xi)( Xi )) =^x,x D. (a) 

Hence, from Definition 18, there exists a nonempty tp C [n] such that 

(A iev a€ sig(Xi)(xi)) A (A lG [ n ]- v a £ ^?(X. t )(^)) (b) 

We now define Di, 1 < « < n, as follows. 

For !£[«]- tp, Di = config (Xi)(xi). 

For i & tp, Di = (DAi, map(D) \DAi), where 

DAi = {A : A G D and [A G auts (config ■(X i )(x i )) or ^4 G created (X t )(xi) (a)]}. 

Hence, by definition of Di, Definition 18, (a), and the compatibility of Xi, . . . ,X n , we have 
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/\ ieip (config(X l )(x l ) =^ Xi , Xi A) (c) 

Now each Xj, i G [n], is a configuration automaton. Hence, from (c) and constraint 3 applied to 

Xi, i G <£, 

/\ ieip ,3yi G states{Xi) : config (X,j)(y,j) = D { and (ajj,a,yj) G steps{Xi) (d) 

Let y = (yi, . . . ,y n ) where, for « G <p, yi is given by (d), and for i G [n] — <p, yi = xi. Hence, 
for i G [n], yi G states(Xi). Since Xi, . . . , X n are compatible configuration automata, we get, by 
Definitions 19 and 23, 

auts (config (Xi)(y; t )) n auts (config (Xj)(yj)) = for all «, j G [n], « / j, and 
config(Xi)(y\) U • • • U config (X n )(y n ) is a reduced compatible configuration. (e) 

Thus, in particular, all SIOA in the configurations config (Xi)(yi), . . . , config (X n )(y n ) are unique. 
Prom (d), for i G <p, config (Xj)(yj) = Z?j. By definition of Dj, for i 6 [n] - <£>, config (Xi)(xi) = D^. 
By definition of y^, for « G [n] — <£, y^ = xi. Hence, for i G [n] — <p, config (Xj)(yj) = Z?j. Combining 
these, we get 

A i€[n] config{Xi){y i ) = D i (f) 

Prom the definition of Z?j and Definition 18, we have that D = D\ U- • -UD n . Also, by Definition 24, 
config(X)(y) = [) ie[n] config (Xi)( yi ). By this, (f), and D = D x U • • • U D n , 

config(X)(y)=D. (g) 

By definition of yi, for i G [n] — <p, yi = Xi. By (d), for i G <p, (xi,a,yi) G steps(Xi). From these 
and (b), we get 

/\ ieip a G sig{Xi){xi) A (xi,a,yi) G steps (X;) 

Aie[n]- V a £ 5i(/(X t )(^) A i/j = a*. 

From this, x = (x\,... ,x n ), y = (yi, . . . ,y n } 5 and Definitions 6 and 24, we conclude (x,a,y) G 
sieps(X). From this and (g), we have 

(x,a,y) G steps(X) and config(X)(y) = D, 

and we are done. 

Constraint 4- We treat each subconstraint in turn. 

Constraint 4a: out(X)(x) C out (config (X)(x)). 
By Definitions 24 and 6, 

ou*(X)(a;) = Uig[„] ou*(Xi)(a!i). (a) 

Since the Xj are configuration automata, they all satisfy constraint 4a. Hence 

Aie[„] ou*(Xj)(ajj) C out [config (X t )(a: i )). 

Taking the unions of both sides, over all t£ [n], we obtain 

(U e[ „] out{Xi){xi)) C (U i6[n] o^(con^(X i )(r Ei ))). (b) 

By Definition 24, config (X)(x) = Uiefnl con fi9(-^i)( x i)- By assumption, Xi, . . . ,X n , are compati- 
ble configuration automata. Hence, by Definition 23, Uiefnl con fi9(-^i)( x i) * s a reduced compatible 
configuration. So, from Definition 17, we obtain 

out (config (X)(x)) = \J ie[n] out(config(Xi)(xi)). (c) 

From (a,b,c), we obtain out(X)(x) = Uiefnl out(Xi)(xi) != (Uiefnl ou t( con fi9(^i)( x i))) = out (config (X)(x)), 
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as desired. 

Constraint 4b: in(X)(x) = in(config(X)(x)). By Definitions 24 and 6, 

in(X)(x) = ({J ie[n] iniXMxi)) - (\J ie[n] out(X,{)(x^). (a) 

Since the Xj are configuration automata, they all satisfy constraints 4a and 4b. Hence 

Aie[n] in{Xi){xi) = in(config(Xi)(xi)), 

/\ie[n] out(Xi)(xi) C out(config{Xi)(xi)). (b) 

Since the Xj are configuration automata, they all satisfy constraint 4d. Hence 

A ie [„] oui (Xj ) (a;, ) U mi (X ) (z* ) = oui ( con/15 (^ ) ( x i ) ) U mi ( con/15 (^ ) («i ) ) • (c) 

And so, 

Aie[„] out (config (X i )(x i )) C oui(X)(^) U mi(Xj)(a;j). (d) 

Since oirf(Xj)(:Ej) n mi(Xj)(a;j) = for all j 6 [n], by the partitioning of actions into input, output, 
and internal, we have, by (b,d) 

l\ie[n] out(X,j)(x,j) = out (config (X i )(x i )) - int(X,j)(xi). (e) 

Taking the unions of both sides, over all t£ [n], in (b) and (e), we obtain 
(Uie[n] in{Xi){xi)) = (\J ie[n] in{config{Xi){xi))), 

(Uie[n] oui(X t )(^)) = (Uie[n] out{config{Xi){xi)) - int(X l )(x l )). (f) 

Prom (a,f), we obtain 

in(X)(x) = (Uig[„] in{config{Xi){xi))) - {{J ie[n] out{config{Xi){xi)) - int{Xi){ Xi )). (g) 
From (c), 

Aie [ n ] ?ni ( X » ) (^ ) Q out{ config (Xj ) (zj ))Uin<( con/15 (^i ) («i ) ) • (h) 

Now (out (config (Xi)(xi)) U int (config (Xi)(xi))) n in(config(Xi)(xi)) = 0, for all « € [n], by the 
partitioning of actions into input, output, and internal. Hence, by (h), 

A ie[n] mi(X t )(^) n in(config(X i )(x i )) = 0. (i) 

From (b,i), and the compatibility of Xi, . . . , X n , we get 

(U GW * n *(^)(^)) n (U ie[ „] m(con/?5(X t )(^))) = 0- (j) 

From (g,j) 

in(X)(x) = (Uig[„] in(config(Xi)(xi))) - (\J ie[n] out(config(Xi)(xi))). (k) 

By Definition 24, config (X)(x) = Uiefnl con fi9(-^i)( x i)- By assumption, Xi, . . . , X n , are compatible 
configuration automata. Hence, by Definition 23, (Jiefnl con fi9(-^i)( x i) * s a reduced compatible 
configuration. So, from Definition 17, we obtain 

in (config (X)(x)) = (\J ie[n] in(config(X l )(x l ))) - (\J ie[n] out (config (X,)^))). (1) 

Finally, from (k,l), we obtain in(X)(x) = (Uj G [ n ] in(config(Xi)(xi))) - (Uj G [ n ] out (config (X.^Xi))) 
= in(config(X)(x)), as desired. 

Constraint 4c: int(X)(x) D int(config(X)(x)). 
By Definitions 24 and 6, 

int(X)(x) = \J ie[n] int(Xi)(xi). (a) 

Since the Xj are configuration automata, they all satisfy constraint 4c. Hence 

/\ie[n] int ( X i)( x i) ^ int (config (Xi)(xi)). 
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Taking the unions of both sides, over all t£ [n], we obtain 

(Ue[n] int{Xi){xi)) D {{J ie[n] int{config{X,i)( Xi ))). (b) 

By Definition 24, config(X)(x) = Uiefnl con fi9(-^i)( x i)- By assumption, Xi, . . . ,X n , are compati- 
ble configuration automata. Hence, by Definition 23, Uiefnl con fi9(-^i)( x i) * s a reduced compatible 
configuration. So, from Definition 17, we obtain 

int(config(X)(x)) = [) ie[n] int{config{Xi){xi)). (c) 

Prom (a,b,c), we obtain int(X)(x) = Uj £ [ n ] int{Xi)(xi) D (Ui G [ n ] int(config(Xi)(xi))) = int(config(X)(x)), 
as desired. 

Constraint 4d: out(X)(x) U m£(X)(a;) = out(config(X)(x)) U int(config (X)(x)) . 
By Definitions 24 and 6, 

ou<(X)(a;) = U,- e [„] otrf^Jte), 

mf(X)(a;) = U lG [„] int(X t )(xi). (a) 

Since the Xj are configuration automata, they all satisfy constraint 4d. Hence 

Aie[n]( out ( X i)( x i) u int(X,j)(x,j)) = (out(config(X,j)(x,j)) U int(config(X,j)(xi))). 
Taking the unions of both sides, over all t£ [n], we obtain 

(Uie[n] oui(Xj)(a;j) U mi(X t )(^ t )) = (U lG [ n ] out(config(Xi)(xi)) U int(config(Xi)(xi))). (b) 
By Definition 24, config(X)(x) = Uiefnl con fi9(-^i)( x i)- By assumption, Xi, . . . ,X n , are compati- 
ble configuration automata. Hence, by Definition 23, Uiefnl con fi9(-^i)( x i) * s a reduced compatible 
configuration. So, from Definition 17, we obtain 

out(config(X)(x)) = \J ie[n] out(config(Xi)(xi)) : 

int(config(X)(x)) = \J ie[n] int(config(Xi)(xi)). (c) 

Prom (a,b,c), we obtain (out(X)(x) U int(X)(x)) = (Uiefnl 0U t(Xi)(xi) U int(X,i)(x,i)) = 
(Uie[ n ] out(config(Xi)(xi)) U int(config(Xi)(xi))) = out(config(X)(x)) U int(config(X)(x)), as de- 
sired. 



Since we have established that X satisfies all the constraints, the proof is done. Q 

5.2 Action Hiding for Configuration Automata 

Definition 25 (Action hiding for configuration automata) Let X be a configuration automa- 
ton and £ a set of actions. Then X\T, is the state machine consisting of the following components: 

1. sioa(X\T,) = sioa(X)\T l 

2. A configuration mapping config(X \ S) = config(X) 

3. For each x € states(X \ S) ; a mapping created(X \ £)(#) = created (X)(x) 

As in Definition 19, we define states(X) = states (sioa(X)), start(X) = start (sioa(X)), sig(X) = 
sig(sioa(X)), steps(X) = steps (sioa(X)), and likewise for all other (sub) components and attributes 
of sioa(X). 

Proposition 18 Let X be a configuration automaton and £ a set of actions. Then X \ £ is a 
configuration automaton. 
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Proof: We must show that X\H satisfies the constraints of Definition 19. Since X is a configuration 
automaton, constraints 1, 2, and 3 hold for X. Prom Definitions 25 and 7, we see that the only 
components of X and X\S that differ are the signature and its various subsets. Now constraints 1, 
2, and 3 do not involve the signature. Hence, they also hold for X \ S. 

We deal with each subconstraint of Constraint 4 in turn. 

Constraint J^a: out(X \ £)(#) C out(config(X \ T,)(x)). 

By Definition 25, out(X \ T,)(x) = out(sioa(X \ T,))(x) = out(sioa(X) \ T,)(x). By Definition 7, 
out(sioa(X) \ T.)(x) = out(sioa(X))(x) — E. By Definition 19, which is applicable since X is a con- 
figuration automaton, out(sioa(X))(x) = out(X)(x). Hence, out(sioa(X))(x) — E = out(X)(x) — E. 
Putting the above equalities together, we obtain 

out{X\T){x) = out{X){x) -E. (a) 

Since X is a configuration automaton, it satisfies constraint 4a. Hence 

out(X)(x) C out(config(X)(x)). 

(b) 
By Definition 25, config(X \ S) = config(X). Hence, 

out(config(X)(x)) = out(config(X \ E)(rr)). (c) 

Prom (a,b,c), we obtain out(X \ S)(rr) C out(X)(x) C out(config(X)(x)) = out(config(X \ E)(rr)), 
as desired. 

Constraint 4b: in(X \ S)(a;) = in(config(X \ E)(rr)). 

By Definition 25, in(X \ S)(rr) = in(sioa(X \Y l ))(x) = in(sioa(X)\T.)(x). By Definition 7, 
in(sioa(X) \ T.)(x) = in(sioa(X))(x). By Definition 19, which is applicable since X is a configura- 
tion automaton, in(sioa(X))(x) = in(X)(x). Putting the above equalities together, we obtain 

in{X\Y)(x) = in{X)(x). (a) 

Since X is a configuration automaton, it satisfies constraint 4b. Hence 

in(X)(x) = in(config(X)(x)). (b) 

By Definition 25, config(X \ E) = config(X). Hence, 

in(config(X)(x)) = in(config(X \ T.)(x)). (c) 

Prom (a,b,c), we obtain in(X \E)(rr) = in(X)(x) = in(config(X)(x)) = in(config(X \E)(x)), as 
desired. 

Constraint 4c: int(X \ S)(rr) 5 int(config(X \ E)(rr)). 

By Definition 25, int(X \Y*)(x) = int(sioa(X \T.))(x) = int(sioa(X)\Y,)(x). By Definition 7, 
int(sioa(X) \ T.)(x) = int(sioa(X))(x) U (out(sioa(X))(x) n S). By Definition 19, which is appli- 
cable since X is a configuration automaton, int(sioa(X))(x) = int(X)(x) and out(sioa(X))(x) = 
out(X)(x). Hence, int(sioa(X) \ S)(rr) = int(X)(x) U (out(X)(x) n E). Putting the above equali- 
ties together, we obtain 

int(X \ T,){x) = int{X)(x) U (out(X)(x) n S). (a) 

Since X is a configuration automaton, it satisfies constraint 4c. Hence 

int(X)(x) I) int(config(X)(x)). (b) 

By Definition 25, config(X \ S) = config(X). Hence, 
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int(config(X)(x)) = int(config(X \ T,)(x)). (c) 

Prom (a,b,c), we obtain int(X \T,)(x) D int(X)(x) 5 int(config(X)(x)) = int(config(X \ £)(#)), 
as desired. 

Constraint 4d: out(X \ £)(#) U int(X \ £)(#) = out(config(X \ £)(#)) U int(config(X \ £)(#)). 
In the proofs for Constraints 4a and 4c above, we established (the equations marked "(a)") 

out(X \ T,){x) = out{X)(x) - £, 

int(X \ S)(a;) = int{X){x) U (out(X)(x) n E). 

Now (otrf(X)(a;) - E) U (out(X)(x) D S) = otrf(X)(a;), and so 

oui(X \ E)(a;) U mi(X \ E)(a;) = out(X)(x) U mi(X)(a;). (a) 

Since X is a configuration automaton, it satisfies constraint 4d. Hence 

out{X)(x) U int{X)(x) = out{config{X)(x)) U int{config{X)(x)). (b) 

By Definition 25, config(X \ E) = config(X). Hence, 

out(config(X)(x)) U int(config(X)(x)) = out(config(X \ S)(rr)) U int(config(X \ E)(rr)). (c) 

From (a,b,c), we obtain out(X \ T,)(x)l)int{X \ T,)(x) = out{X)(x)l)int{X)(x) = out(config(X)(x))U 
int(config(X)(x)) = out(config(X \ S)(rr)) U int(config(X \ E)(rr)), as desired. 

Since we have established that X satisfies all the constraints, the proof is done. □ 

5.3 Action Renaming for Configuration Automata 

Definition 26 Let C = (A, S) be a compatible configuration and let p be an injective mapping 
from actions to actions whose domain includes Uyie^t acts(A). Then we define p(C) = (p(A),p(S)) 
where p(A) = {p{A) \ A G A}, and p(S)(p{A)) = S{A) for all A G A. 

Definition 27 (Action renaming for configuration automata) Let X be a configuration au- 
tomaton and let p be an injective mapping from actions to actions whose domain includes [Jcestates(x) s w(X)(C). 
Then p(X) consists of the following components: 

1. A signature I/O automaton p(sioa(X)) 

2. A configuration mapping config(p(X)) with domain states(X) and such that config(p(X))(x) = 
p(config(X)(x)). 

3. For each x G states(p(X)), a mapping created (p(X))(x) with domain sig(p(X))(x) and such 
that created (p(X))(x)(p(a)) = {p(A) | A G created (X)(x) (a)} for all a G sig(X)(x). 

Proposition 19 Let X be a configuration automaton and let p be an injective mapping from actions 
to actions whose domain includes \Jcestates(x) s w(X)(C). Then p(X) is a configuration automaton. 

Proof: We must show that p(X) satisfies the constraints of Definition 19. Since X is a configuration 
automaton, constraints 1, 2, and 3 hold for X. From Definitions 27 and 8, we see that the states of 
p(X) and the configurations in config(p(X))(x) are unchanged by the applying p. Hence constraint 1 
also holds for p(X). 
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Constraints 2, and 3 hold since p is injective, so we can simply replace a by p(a) uniformly in 
the transition relation of both p(X) and the configurations in config(p(X))(x). The constraints for 
p(X) then follow from the corresponding ones for X . 

By Definitions 26 and 27, we have out(config(p(X))(x)) = p(out(config(X)(x))). and out(p(X))(x) 
p(out(X)(x)). Since constraint 4a holds for X, we have out(X)(x) C out(config(X)(x)). Hence 
p(out(X)(x)) C p(out(config(X)(x))) . Hence out(p(X))(x) C out(config(p(X))(x)). Hence con- 
straint 4a holds for p(X). 

The other subconstraints of constraint 4 can be established in a similar manner. □ 

5.4 Multi-level Configuration Automata 

Since a configuration automaton is an SIOA, it is possible for a configuration automaton to create 
another configuration automaton. This leads to a notion of "mult i- level," or "nested" configuration 
automata. The nesting structure will be well-founded, that is, the binary relation U X is created by 
y will be well-founded in all global states. 

This ability to nest entire configuration automata makes our model very flexible. For example, 
administrative domains can be modeled in a natural and straightforward manner. It should also 
be possible to emulate the operations of the ambient calculus [CGOO]. 

6 Compositional Reasoning for Configuration Automata 

We now establish compositionality results for configuration automata analogous to those established 
above for SIOA. 

The notions of execution and trace of a configuration automaton X depend solely on the 
SIOA component sioa(X). Furthermore, the SIOA component of a composition of configuration 
automata depends only on the SIOA components of the individual configuration automata (see 
Definition 24). It follows that the results of Section 3 carry over for configuration automata with 
no modification. We restate them for configuration automata solely for the sake of completeness. 

6.1 Execution Projection and Pasting for Configuration Automata 

Definition 28 (Execution projection for configuration automata) Let X = X\ || ■ ■ ■ || X n 

be a configuration automaton. Let a be a sequence C^axCxa^C^ ■ ■ ■ Cj-iajCj . . . where Vj > 0, Cj = 
(Cj : \,... ,Cj jn } € states(X) and Vj > 0,a,j € sig(X)(Cj-\). Then, define Cj\Xi = Cjj. Also, 
define a \Xi (1 < i < n) to be the sequence resulting from: 

1. replacing each Cj by its i'th component Cjj, and then 

2. removing all OjCjj such that aj $ sig(Xi)(Cj-\ : i). 

Our execution projection results states that the projection of an execution (of a composed 
configuration automaton X = X\ || ■ ■ ■ || X n ) onto a component Xi, is an execution of X{. 



Theorem 20 (Execution projection for configuration automata) Let X = X\ || • • • || X 

be a configuration automaton. If a € execs(X) then a\Xi € execs(Xi). 
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Our execution pasting result requires that a candidate execution a of a composed automaton 
X = X\ || • • • || X n must project onto an actual execution of every component Xi, and also that 
every action of a not involving Xi does not change the configuration of X^. In this case, a will be 
an actual execution of X. 

Theorem 21 (Execution pasting for configuration automata) Let X = X\ || • • • || X n be 

a configuration automaton. Let a be a sequence C^axCxa^C^ ■ ■ ■ Cj-iajCj . . . where Vj > 0, Cj = 
(Cj : \,... ,Cj jn } € states(X) andVj > 0,a,j € sig(X)(Cj-i). Furthermore, suppose that 

1. for all 1 < i < n : a\Xi € execs(X,{), and 

2. for all j > : if aj £ sig(Xi)(Cj-i :i ) then Cj-i :i = C j:i . 

Then, a € execs(X). 

6.2 Trace Pasting for Configuration Automata 

Corollary 22 (Trace pasting for Configuration Automata) LetX\,... ,X n be compatible con- 
figuration automata, and let X = X\ || ••• || X n . Let j3 be a trace and /3i,... ,/3 n be such that 
j3j G traces(Xj) for all j € [n]. If zip(/3,/3i, . . . ,/3 n ) holds, then (3 € traces(X). 

6.3 Trace Substitutivity for Configuration Automata 

Theorem 23 (Trace Substitutivity for Configuration Automata) Let X\, . . . ,X n be com- 
patible configuration automata, and let X = X\ || ■ ■ ■ || X n . For some j € [n], let Xj,X'- be 
configuration automata such that traces (Xj) C traces (X',), and let X' = X\ || ■ ■ ■ || X'- || ■ ■ ■ || X n . 
Then traces(X) C traces(X'). 

7 Modeling Dynamic Connection and Locations 

We stated in the introduction that we model both the dynamic creation/moving of connections, and 
the mobility of agents, by using dynamically changing external interfaces. The guiding principle 
here is the notion that an agent should only interact directly with either (1) another co-located 
agent, or (2) a channel one of whose ends is co-located with the agent. Thus, we restrict interaction 
according to the current locations of the agents. 

We adopt a logical notion of location: a location is simply a value drawn from the domain 
of "all locations." To codify our guiding principle, we partition the set of SIOA into two subsets, 
namely the set of agent SIOA, and the set of channel SIOA. Agent SIOA have a single location, 
and represent agents, and channel SIOA have two locations, namely their current endpoints. We 
assume that all configurations are compatible, and codify the guiding principle as follows: for any 
configuration, the following conditions all hold, (1) two agent SIOA have a common external action 
only if they have the same location, (2) an agent SIOA and a channel SIOA have a common external 
action only if one of the channel endpoints has the same location as the agent SIOA, and (3) two 
channel SIOA have no common external actions. 
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8 Example: A Travel Agent System 

Our example is a simple flight ticket purchase system. A client requests to buy an airline ticket. 
The client gives some "flight information," /, e.g., route and acceptable times for departure, arrival 
etc., and specifies a maximum price f.mp they can pay. / contains all the client information, 
including mp, as well as an identifier that is unique across all client requests. The request goes to 
a static (always existing) "client agent," who then creates a special "request agent" dedicated to 
the particular request. That request agent then visits a (fixed) set of databases where the request 
might be satisfied. If the request agent finds a satisfactory flight in one of the databases, i.e., a 
flight that conforms to / and has price < mp, then it purchases some such flight, and returns a 
flight descriptor fd giving the flight, and the price paid (fd.p) to the client agent, who returns it to 
the client. The request agent then terminates. 

The agents in the system are: (1) ClientAgt, who receives all requests from the client, (2) 
ReqAgt(f), responsible for handling request /, and (3) DBAgt d ,d € V, the agent (i.e., front-end) 
for database d, where V is the set of all databases in the system. In writing automata, we shall 
identify automata using a "type name" followed by some parameters. This is only a notational 
convenience, and is not part of our model. 

We first present a specification automaton, and then the client agent and request agents of 
an implementation (the database agents provide a straightforward query/response functionality, 
and are omitted for lack of space). When writing sets of actions, we make the convention that all 
free variables are universally quantified over their domains, so, e.g., {inform,^/, /?£s), conf d(fd, ok?)} 
within action select,^/) below really denotes {inform^/, /?£s), conf d (fd, ok?) | fd G T,flts C T, ok? G 
Bool}. 

In the implementation, we enforce locality constraints by modifying the signature of ReqAgt(f) 
so that it can only query a database d if it is currently at location d (we use the database names 
for their locations). We allow ReqAgt(f) to communicate with Client Agt regardless of its location. 
A further refinement would insert a suitable channel between ReqAgt(f) and ClientAgt for this 
communication (one end of which would move along with ReqAgt(f)), or would move ReqAgt(f) 
back to the location of ClientAgt. 

We use "state variables" in, out, and int to denote the current sets of input, output, and 
internal actions in the SIOA state signature. 
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Specification: Spec 
Signature 

Input: 

request(/), where / G T 

\nform d (f, fits), where d G V, f G T, and fits C T 

conf d (f,fd, ok?), where d G V, f ,fd G T, and ok? G Bool 

select d (/), where d G V and / G T 

adjustsig(/), where / G T 

initially: {request(/) : / 6 T} U {select^/) : d G ©,/ G J"} 
Output: 

query d (/), where d G U and f € T 

buy d (f , fits) , where d € V, f € J 7 , and /i!ts C .F 

response(/,/d, oA;?), where f,fd € J 7 and o&? G Boo/ 

initially: {response(/,/d, ok?) : f,fd G T, ok? G Bool} 
Internal: 

initially: 

State 

status f G {notsubmitted, submitted, computed, replied}, status of request /, initially notsubmitted 

trans f^ G -Boo/, true iff the system is currently interacting with database d on behalf of request /, initially false 

okfltSf d C T, set of acceptable flights that has been found so far, initially empty 

resps Cf xf x Bool, responses that have been calculated but not yet sent to client, initially empty 

x f,d G A/", bound on the number of times database d is queried on behalf of request / before a negative reply is returned to 
the client, initially any natural number greater than zero 

Actions 



Input request(/) 

Eff: status f <— submitted 

Input select d (/) 
Eff: in <- 

(in U {inform d (/,/tts)i conf d(/ d i°* ? )}) - 
{\nform d i(f, fits), conf d '(fd, ok?) : d! ^ d}; 

out «— 

(ouiU{query d (/),buy d (/,/d)}) - 
{que r y d ,(f),buy d ,(f,fd):d'^d} 

Output query d (/) 
Pre: status f = submitted A Xf^ d > 
Eff: x ud <- x fid - 1; 
trans f^d <- true 

Input inform d (/,/tts) 

Eff: okfltSf d <- okfltSf d U 

{fd:fdefltsAfd.p<f.mp} 

Output buy d (/, fits) 

Pre: status f = submitted A 

fits = okfltSf d ^ A trans f^ d 
Eff: skip 



Input conf d (/,/d, ok?) 
Eff: trans f^ d <— false; 
if ok? then 

resps i— resps U {(f,fd,true)}; 
status f <— computed 
else 

if \/d : Xf^ d = then 

resps i— resps U {(/, -L, false)}; 
status f <— computed 
else 
skip 

Output response(/,/d, ok?) 

Pre: (f,fd, ok?) G resps A status f = computed 

Eff: status f <— replied 

Input adjustsig(/) 
Eff: in <— in— 

{\nform d (f , fits), conf d (f , fd, ok?)}; 
out <— out — 

{query d (/), buy d (/,/d)} 



We now give the client agent and request agents of the implementation. The initial configura- 
tion consists solely of the client agent ClientAgt. 
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Client Agent: Client Agt 
Signature 

Input: 

request(/), where / 6 T 

req-agent-response(/,/d, ok?), where f,fd 6 T, and ok? € Bool 
Output: 

response(/,/d, ok?), where f,fd 6 T and ok? 6 Bool 
Internal: 

create(ClientAgt, ReqAgt(f)), where /6f 

State 

reqs C T, outstanding requests, initially empty 

created C T, outstanding requests for whom a request agent has been created, but the response has not yet been returned to 
the client, initially empty 

resps Cf xf x Bool, responses not yet returned to client, initially empty 

Actions 

Input request(/) Input req-agent-response(/,/d, ok?) 

Eff: reqs <— reqs U {(/)} Eff: resps <— resps U {(/ ,fd, ok?)}; 

done <— done U {/} 

Output create(ClientAgt, ReqAgt(f)) 

Pre: / G reqs A / created Output response(/,/<i, ok?) 

Eff: created <— created U {/} Pre: (f,fd, ok?) G resps 

Eff: resps <— resps — {(f,fd, ok?)} 

Client Agt receives requests from a client (not portrayed), via the request input action. Client Agt 
accumulates these requests in reqs, and creates a request agent ReqAgt(f) for each one. Upon re- 
ceiving a response from the request agent, via input action req-agent-response, the client agent adds 
the response to the set resps, and subsequently communicates the response to the client via the 
response output action. It also removes all record of the request at this point. 
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Request Agent: ReqAgt(f) where / € T 



Signature 

Input: 

inform,^/, /i!ts), where d € V and fits C T 

conf d (f,fd, ok?), where d € V, fd 6 T, and ok? 6 Bool 

move/(c, d), where d G V 

move/(d, d'), where d, d' £l> and d ^ d! 

term'inate(ReqAgt(f)) 

initially: {move/(c, d), where d 6 T>} 
Output: 

query d (/), where d 6 V 

buyd{f,flts), where d 6 V and fits C .F 

req-agent-response(/,/d, ok?), where fd 6 T and ofc? 6 Boo/ 

initially: 
Internal: 

initially: 

State 

location G c U 77, location of the request agent, initially c, the location of Client Agt 

status G {notsubmitted, submitted, computed, replied}, status of request /, initially notsubmitted 

trans d G Bool, true iff ReqAgt(f) is currently interacting with database d (on behalf of request /), initially false 

DBagents C V, databases that have not yet been queried, initially the list of all databases V 

donedb G Bool, boolean flag, initially false 

done G Bool, boolean flag, initially false 

tkt G F, the flight ticket that ReqAgt(f) purchases on behalf of the client, initially _L 

okflts d C T, set of acceptable flights that ReqAgt(f) has found so far, initially empty 

Actions 



Input move/(c, d) 
Eff: location <— d; 

donedb <— false; 

in <— {\nform d (f , fits), conf d (f,fd, ok?)}; 

out <- {query d (/),buy d (/,/d), 

req-agent-response(/,/(i, ok?)}; 

int <- 

Output query d (/) 

Pre: location = d A d G DBagents A ifti = _L 
Eff: DBagents <— DBagents — {d}; 
trans d <— irae 

Input inform d (/,/tts) 
Eff: ofc^is^ «- ofc^is^ U 

{fd:fdefltsAfd.p<f.mp}; 
if okflts d = ill then 
trans d <— /a/se; 
mi «— {move/ (d,d') : 

d' G DBagents - {d}} 

Output buy d (f, fits) 

Pre: location = d A /Ms = okflts d ^ 8 A 

£&£ = -L A trans d A status = submitted 
Eff: sftjp 



Input conf d (/,/d, oft?) 
Eff: trans d <— /a/se; 
if oft? then 
ttt «- fd; 

status <— computed 
else 

if DBagents = then 
status <— computed 
else 



Input movef(d,d') 
Eff: location <— d'; 

donedb <— /a/se; 

in <- {inform d ,(/,./Zis),conf d ,(/,/d,oft?)}; 

oat <- {query d ,(/),buy d /(/,/d), 

req-agent-response(/,/d, oft?)}; 

mi «— 

Output req-agent-response(/,/d, oft?) 
Pre: status = computed A 

[ (fd = tkt^±A ok?) V 

(DBagents = A fd = J. A ^oft?) 



Eff: status 
in <- 
oui «— 
mi <— I 



replied; 
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ReqAgt(f) handles the single request /, and then terminates itself. ReqAgt(f) has initial 
location c (the location of ClientAgt) traverses the databases in the system, querying each database 
d using query^(/). Database d returns a set of nights that match the schedule information in /. 
Upon receiving this (inform</(/, /?&)), ReqAgt(f) searches for a suitably cheap flight (the Bfd € fits : 
fd-P < f-tnp condition in inform^/ , fits)). If such a flight exists, then ReqAgt(f) attempts to buy 
it (buy d(f ', fits) and conf^(/,/(i, ok?)). If successfull, then ReqAgt(f) returns a positive response to 
ClientAgt and terminates. ReqAgt(f) can return a negative response if it queries each database 
once and fails to buy a flight. 

We note that the implementation refines the specification (provided that all actions except 
request(/) and response (/, fd, ok?) are hidden) even though the implementation queries each database 
exactly once before returning a negative response, whereas the specification queries each database 
some finite number of times before doing so. Thus, no reasonable bisimulation notion could be es- 
tablished between the specification and the implementation. Hence, the use of a simulation, rather 
than a bisimulation, allows us much more latitude in refining a specification into an implementation. 

9 Conclusions and Further Research 

There are many avenues for further work. We will investigate the relationship between DIOA and 
the 7r-calculus, and will in particular look into embedding the 7r-calculus into DIOA. This should 
provide insight into the relationship between the two models, and into the implications of the choice 
of primitive notion; automata and actions for DIOA versus names and channels for 7r-calculus. We 
note that the use of unique SIOA identifiers is crucial to our model: it enables the definition 
of the execution projection operator, and the establishment of execution projection/pasting and 
trace pasting results. This then yields our trace substitutivity result. The 7r-calculus does not 
have such identifiers, and so the only compositionality results in the 7r-calculus are with respect 
to simulation, rather than trace inclusion. Since simulation is incomplete with respect to trace 
inclusion, our compositionality result has wider scope than that of the 7r-calculus. When the traces 
of A are included in those of B, but there is no simulation from A to B, our approach will allow B 
to be replaced by A, and we can automatically conclude that correctness is preserved, i.e., no new 
behaviors are introduced in the overall system. In approaches relying on simulation, the verification 
of correctness would have to be redone for the entire system, necessitating much greater effort. 

We will also investigate the use of DIOA as a semantic model for object-oriented programming. 
Since we can express dynamic aspects of OOP, such as the creation of objects, directly, we feel this is 
a promising direction. Embedding a model of objects into DIOA would then automatically provide 
the metatheory for verification and refinement of 00 programs. 

Agent systems should be able to operate in a dynamic environment, with processor failures, 
unreliable channels, and timing uncertainties. Thus, we need to extend our model to deal with fault- 
tolerance and timing. We shall also extend the framework of [Att99] for verifying liveness properties 
to our model. This should be relatively straightforward, since [Att99] uses only properties of forward 
simulation that should also carry over to our setting. 
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